From e214da093fd76c8edb94577b7ac4ba57cc7226bd Mon Sep 17 00:00:00 2001 From: ryoppippi <1560508+ryoppippi@users.noreply.github.com> Date: Sun, 1 Feb 2026 19:59:03 +0000 Subject: [PATCH] feat(nix): add flake checks for CI validation Consolidate all CI checks into nix flake check for unified validation: - formatting: treefmt check (nixfmt, ruff-check, ruff-format, oxfmt) - gitleaks: secret detection - uv-lock: verify lockfile is up to date - ty: type checking with Python 3.13 - pytest: test suite execution All checks use --locked flag to ensure lockfile consistency and pin Python to 3.13 for compatibility with dependencies like onnxruntime. --- flake.nix | 103 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 103 insertions(+) diff --git a/flake.nix b/flake.nix index 914d26a..37348a5 100644 --- a/flake.nix +++ b/flake.nix @@ -80,6 +80,109 @@ { formatter = treefmtEval.config.build.wrapper; + checks = { + formatting = treefmtEval.config.build.check ./.; + + gitleaks = + pkgs.runCommand "check-gitleaks" + { + nativeBuildInputs = [ pkgs.gitleaks ]; + src = pkgs.lib.fileset.toSource { + root = ./.; + fileset = pkgs.lib.fileset.gitTracked ./.; + }; + } + '' + cd $src + gitleaks detect --source . --config .gitleaks.toml --no-git + touch $out + ''; + + uv-lock = + pkgs.runCommand "check-uv-lock" + { + nativeBuildInputs = [ + pkgs.uv + pkgs.cacert + ]; + src = pkgs.lib.fileset.toSource { + root = ./.; + fileset = pkgs.lib.fileset.gitTracked ./.; + }; + SSL_CERT_FILE = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"; + } + '' + cd $src + export HOME=$(mktemp -d) + uv lock --check + touch $out + ''; + + ty = + pkgs.runCommand "check-ty" + { + nativeBuildInputs = [ + pkgs.ty + pkgs.uv + pkgs.python313 + pkgs.cacert + ]; + src = pkgs.lib.fileset.toSource { + root = ./.; + fileset = pkgs.lib.fileset.gitTracked ./.; + }; + SSL_CERT_FILE = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"; + } + '' + cp -r $src/. ./workdir + chmod -R u+w ./workdir + cd ./workdir + + export HOME=$(mktemp -d) + export UV_LINK_MODE=copy + + uv sync --all-extras --locked --python ${pkgs.python313}/bin/python3.13 + uv run ty check stackone_ai + touch $out + ''; + + pytest = + pkgs.runCommand "check-pytest" + { + nativeBuildInputs = [ + pkgs.uv + pkgs.python313 + pkgs.bun + pkgs.pnpm_10 + pkgs.typescript-go + pkgs.git + pkgs.cacert + ]; + src = pkgs.lib.fileset.toSource { + root = ./.; + fileset = pkgs.lib.fileset.gitTracked ./.; + }; + SSL_CERT_FILE = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"; + } + '' + cp -r $src/. ./workdir + chmod -R u+w ./workdir + cd ./workdir + + export HOME=$(mktemp -d) + export UV_LINK_MODE=copy + + # Initialize git submodules + git init + git submodule update --init --recursive || true + + # Install dependencies and run tests + uv sync --all-extras --locked --python ${pkgs.python313}/bin/python3.13 + uv run pytest + touch $out + ''; + }; + devShells.default = pkgs.mkShellNoCC { buildInputs = with pkgs; [ uv