Upload flake-iter to S3

[lucperkins]

Summary by CodeRabbit

• New Features

  • CLI now displays version information in help output.

• Chores

  • Replaced and consolidated CI/CD workflows; added a multi-target build-and-release pipeline and removed an older workflow.
  • Updated formatting tooling and flake configuration signatures to standardize per-system packaging and dev shells.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Warning

Rate limit exceeded

@lucperkins has exceeded the limit for the number of commits or files that can be reviewed per hour. Please wait 3 minutes and 47 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

📥 Commits

Reviewing files that changed from the base of the PR and between 37af8ac and 1e12465.

📒 Files selected for processing (1)

• .github/workflows/build-and-release.yml (1 hunks)

Walkthrough

Removes an old CI workflow, adds a new multi-target build-and-release workflow with artifact upload to GitHub and S3, updates Nix formatting and flake outputs/refactoring, and exposes CLI version metadata via a Clap attribute.

Changes

Cohort / File(s)	Summary
GitHub Actions — removed \.github/workflows/determinate-ci.yml	Deletes legacy determinate CI workflow (triggers, concurrency, job that reused external workflow, permissions and inputs).
GitHub Actions — added/updated \.github/workflows/build-and-release.yml, \.github/workflows/nix.yml	Adds build-and-release.yml with multi-system matrix builds, per-target artifact preparation and upload, and an S3 upload job using secrets; updates nix.yml to use nixfmt (replacing nixpkgs-fmt) and minor step title change.
Nix flake refactor flake.nix	Changes outputs signature to { self, ... }@inputs:, switches internal inputs.self references to self, extracts lib from inputs.nixpkgs, adds a per-system formatter attribute, updates devShells/packages to accept system, and updates src = self.
Rust CLI metadata src/cli.rs	Adds #[command(version)] attribute to the public Cli struct to expose version in CLI help/output.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  participant GH as GitHub Actions (workflow)
  participant Runner as Runner (host)
  participant Determ as Determinate Nix / Build cache
  participant Artif as Artifact storage (GitHub)
  participant S3 as S3 bucket

  GH->>Runner: checkout code\nsetup Determinate Nix\nset FlakeHub cache
  Runner->>Determ: nix build -L (matrix target)
  Determ-->>Runner: build result (./result)
  Runner->>Artif: prepare artifact (copy result/bin -> artifacts/)
  Runner->>Artif: upload artifact (GitHub Actions upload)
  GH->>S3: trigger upload job (downloads artifacts)
  GH->>S3: push artifacts using action with AWS secrets
  S3-->>GH: confirm upload

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

• Review focus:
  • flake.nix outputs/signature and all places referencing self/inputs.
  • build-and-release.yml matrix, artifact naming, and S3 secret usage.
  • nix.yml formatter change to ensure CI formatting step remains correct.

Possibly related PRs

• Switch to secure packages #37: Makes the same flake.nix outputs signature and self/inputs refactor.

Suggested reviewers

• RossComputerGuy

Poem

🐰 I hopped through flakes and workflow streams,
I nudged self here and fmt in dreams,
Artifacts packed, then sent to the sky,
A version flag added — a jubilant sigh,
Hop, build, release — we bounce up high! 🎉

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Upload flake-iter to S3' directly and clearly summarizes the main change introduced in the PR: the addition of a GitHub Actions workflow that uploads the flake-iter build artifacts to S3 storage.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

🧹 Nitpick comments (4)

.github/workflows/build-and-upload.yml (1)

1-6: Missing workflow name attribute.

Adding a name attribute improves visibility in the GitHub Actions UI, especially since this workflow is called by multiple release workflows.

+name: Build and upload
+
 on:
   workflow_call:

.github/workflows/release-tag.yml (1)

5-6: Tag pattern may match unintended versions.

The pattern v*.*.* will also match tags like v1.2.3-beta, v1.2.3.4, or v1.2.3-rc1. If you want to match only strict semver tags, consider a more specific pattern.

For stricter semver matching:

   tags:
-      - v*.*.*
+      - 'v[0-9]+.[0-9]+.[0-9]+'

Alternatively, if you need to support pre-release tags separately, keep the current pattern.

.github/workflows/release-pr.yml (2)

24-31: Consider scoping concurrency control to individual PRs.

The current concurrency: release setting means only one PR release can run at a time across all PRs. This could block concurrent PR releases unnecessarily.

Apply this diff to scope concurrency to the specific PR:

-    concurrency: release
+    concurrency: release-pr-${{ github.event.pull_request.number }}

---

36-37: Consider using mkdir -p for more robust directory creation.

The current command chains rm -rf and mkdir, which will fail if the removal fails for any reason.

Apply this diff for a more robust approach:

-        run: rm -rf ./artifacts && mkdir ./artifacts
+        run: mkdir -p ./artifacts

Note: If you specifically need to ensure a clean directory, the current approach is acceptable.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between e4188aa and 29ebd8c.

⛔ Files ignored due to path filters (1)

• flake.lock is excluded by !**/*.lock

📒 Files selected for processing (7)

• .github/actions/download-persist.yaml (1 hunks)
• .github/workflows/build-and-upload.yml (1 hunks)
• .github/workflows/determinate-ci.yml (0 hunks)
• .github/workflows/release-branch.yml (1 hunks)
• .github/workflows/release-pr.yml (1 hunks)
• .github/workflows/release-tag.yml (1 hunks)
• flake.nix (3 hunks)

💤 Files with no reviewable changes (1)

• .github/workflows/determinate-ci.yml

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (4)

• GitHub Check: build-artifacts (aarch64-darwin, macos-latest-xlarge, flake-iter-ARM64-macOS)
• GitHub Check: build-artifacts (x86_64-linux, ubuntu-24.04, flake-iter-ARM64-Linux)
• GitHub Check: flake-check
• GitHub Check: rust-fmt-and-clippy

🔇 Additional comments (8)

flake.nix (1)

17-18: LGTM!

The updated outputs signature using { self, ... }@inputs: is the idiomatic pattern for accessing self in Nix flakes. The subsequent changes to use self.overlays.default and src = self are cleaner than the previous inputs.self approach.

.github/workflows/release-branch.yml (1)

8-54: LGTM!

The workflow structure is well-designed with proper job dependencies, concurrency control, and environment isolation. The artifact download steps correctly reference the expected platform combinations.

.github/workflows/release-tag.yml (1)

17-19: Consider adding a GitHub release creation step.

The workflow has contents: write permission (for uploading to GitHub releases as noted), but there's no step that actually creates a GitHub release. If you intend to create releases, consider adding a step using softprops/action-gh-release or gh release create.

Is the GitHub release creation handled elsewhere, or should it be added to this workflow?

.github/workflows/build-and-upload.yml (1)

27-28: actions/checkout@v6 is correct and current.

Version v6.0.1 is the latest release of actions/checkout, not v4. The code is already using the correct, up-to-date action.

.github/actions/download-persist.yaml (1)

23-23: Verify actions/download-artifact@v6 exists and fix composite action input syntax.

The file uses type: choice for inputs (lines 8, 14), which is invalid for composite actions—use type: string instead. Additionally, verify that actions/download-artifact@v6 is available; recent stable versions are v4 or earlier.

.github/workflows/release-pr.yml (3)

3-10: LGTM!

The PR trigger configuration appropriately covers the necessary event types for a build-and-release workflow.

---

12-22: Conditional logic correctly restricts artifact uploads to intra-repo PRs with the 'upload to s3' label.

The build job properly gates artifact uploads by checking that the PR originates from the main repository and that the 'upload to s3' label is present. The reusable workflow reference to .github/workflows/build-and-upload.yml is valid, and the approach promotes DRY principles.

---

39-58: Local action is properly implemented and supports all specified platforms.

The ./.github/actions/download-persist action is a well-structured composite action that supports the three platforms in this workflow: macOS ARM64, Linux x64, and Linux ARM64. The action correctly constructs artifact names using the pattern {name}-{arch}-{os} and persists downloads to platform-specific directories. No issues found.

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (4)

.github/workflows/build-and-release.yml (4)

36-38: Consider making the build system explicit.

The build command relies on native builds without explicitly specifying the target system. While this should work since runners match target architectures, consider either:

• Adding a comment explaining the native build approach
• Or explicitly passing the system: nix build -L .#packages.${{ matrix.systems.nix-system }}.default

---

31-34: Pin action versions instead of using @main.

Using @main for actions can lead to unexpected breakage and security concerns. Consider pinning to specific versions or release tags.

Apply this approach to pin versions:

-      - name: Install Determinate Nix
-        uses: DeterminateSystems/determinate-nix-action@main
-
-      - name: Set up FlakeHub Cache
-        uses: DeterminateSystems/flakehub-cache-action@main
+      - name: Install Determinate Nix
+        uses: DeterminateSystems/determinate-nix-action@v1.2.3  # Use actual latest stable version
+
+      - name: Set up FlakeHub Cache
+        uses: DeterminateSystems/flakehub-cache-action@v1.0.0  # Use actual latest stable version

---

65-72: Pin action version instead of using @main.

Similar to the earlier actions, DeterminateSystems/push-artifact-ids@main should be pinned to a specific version for reproducibility and security.

       - name: Upload to S3
-        uses: DeterminateSystems/push-artifact-ids@main
+        uses: DeterminateSystems/push-artifact-ids@v1.0.0  # Use actual latest stable version
         with:

---

59-63: Update actions/download-artifact to the latest version.

actions/download-artifact@v7 is the current version, which runs on Node.js 24 and requires a minimum Actions Runner version of 2.327.1. Update to v7 to align with the latest release:

       - name: Download artifacts directory
-        uses: actions/download-artifact@v7
+        uses: actions/download-artifact@v7
         with:
           name: artifacts
           path: ./artifacts

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 9d21c69 and c98810d.

📒 Files selected for processing (3)

• .github/workflows/build-and-release.yml (1 hunks)
• .github/workflows/nix.yml (1 hunks)
• flake.nix (4 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: flake-check
• GitHub Check: rust-fmt-and-clippy

🔇 Additional comments (7)

flake.nix (4)

18-21: LGTM: Clean refactor for clarity.

The explicit self binding and lib extraction reduce verbosity and improve readability. The changes are applied consistently throughout the file (lines 30, 36, 57, 60, 103).

---

33-33: LGTM: System parameter enables formatter reference.

Adding system to forEachSupportedSystem outputs is necessary for the self.formatter.${system} reference on line 79.

Also applies to: 68-68

---

98-98: LGTM: Future-proofs the function signature.

Adding ... to the packages function signature allows for future extensibility, though currently only pkgs is used. This maintains consistency with the devShells pattern.

---

79-79: The switch to nixfmt as the formatter is well-supported. The official Nix formatter nixfmt is now stable and available as pkgs.nixfmt, and nixfmt includes a check flag for use in CI. No additional verification needed.

.github/workflows/nix.yml (1)

21-21: LGTM: Consistent formatter switch.

The workflow correctly switches to nixfmt to align with the flake.nix formatter attribute change. This maintains consistency across the repository.

.github/workflows/build-and-release.yml (2)

1-6: LGTM!

The workflow triggers are appropriate for a build and release pipeline, covering manual dispatch, PR validation, and main branch builds.

---

8-25: LGTM!

The matrix configuration correctly maps target architectures to appropriate runners for native builds. The permissions are properly configured for OIDC authentication.