ci: split out Nix CI; rename CI workflow to Rust CI#114
Conversation
Add .github/workflows/nix.yml — builds the flake's `.#openlogi` package on macOS, gated to files that affect the Nix build (Cargo.lock, flake.*, nix/**, the committed .icns). Catches cargoHash drift (it changes on any Cargo.lock bump) before it bites a release/nixpkgs bump. Rename the existing all-Rust workflow's display name CI -> Rust CI (job names unchanged, so required status checks are unaffected).
![pullfrog[bot]](https://avatars.githubusercontent.com/in/1768019?s=60&v=4){kind=small}
There was a problem hiding this comment.
✅ No new issues found.
Reviewed changes — splits CI into two workflows: renames the existing ci.yml display name from "CI" to "Rust CI", and adds nix.yml that builds the flake .#openlogi on macos-latest, gated to files that actually affect the Nix build.
- Rename
ci.ymlname to "Rust CI" — job names unchanged (required status checks unaffected) - New
nix.yml— builds the Nix package withnix build .#openlogi -L, path-filtered toCargo.lock,flake.nix,flake.lock,nix/**, the committedAppIcon.icns, and the workflow itself
All referenced paths exist in the repo. The flake exposes .#openlogi as expected. Standard actions (actions/checkout@v6, DeterminateSystems/nix-installer-action@v22). Clean, well-documented change — nothing to flag.
Big Pickle (free) (credentials for Anthropic not configured) | 𝕏
The Nix CI added here caught the stale cargoHash (master moved to 0.4.1) and the `media` (gpui dep) bindgen build needs libclang via rustPlatform.bindgenHook in a clean sandbox.
Greptile SummaryThis PR splits the monolithic CI workflow into two focused workflows — "Rust CI" (renamed
Confidence Score: 5/5Safe to merge — changes are additive CI infrastructure and a routine Nix package maintenance update with no impact on the Rust build or application logic. The ci.yml change is a one-word rename with zero functional impact. The new nix.yml workflow is well path-gated and only adds build coverage. The package.nix changes are maintenance: a version bump, a corrected cargoHash, a missing bindgenHook that was causing build failures, and comment clarifications. No application code, no migrations, no auth paths are touched. No files require special attention. The new nix.yml workflow has no caching step, so each triggered build starts cold — but this is a cost/speed trade-off, not a correctness issue. Important Files Changed
Flowchart%%{init: {'theme': 'neutral'}}%%
flowchart TD
push[Push / PR] --> rust_filter{Rust CI trigger\nany push/PR}
push --> nix_filter{Nix CI trigger\npath-gated}
rust_filter --> rust_jobs[rustfmt · clippy\ncheck-linux · test-linux\ntest-macos arm64/x86_64\ncheck-windows]
nix_filter -->|Cargo.lock / flake.* / nix/**\n.icns / nix.yml changed| nix_job[nix build .#openlogi -L\nmacos-latest arm64]
nix_filter -->|no matching paths| skip[Workflow skipped]
nix_job --> pass{Build result}
pass -->|success| ok[cargoHash fresh]
pass -->|failure| fail[Logs print correct sha256\nUpdate cargoHash in package.nix]
Reviews (3): Last reviewed commit: "fix(nix): use the CI-computed cargoHash;..." | Re-trigger Greptile |
![greptile-apps[bot]](https://avatars.githubusercontent.com/in/867647?s=60&v=4){kind=small}
| - uses: actions/checkout@v6 | ||
| - uses: DeterminateSystems/nix-installer-action@v22 |
There was a problem hiding this comment.
actions/checkout@v6 and DeterminateSystems/nix-installer-action@v22 use floating version tags. If either tag is force-pushed to a different commit (accidentally or maliciously), the workflow silently picks up the new code with full runner permissions. Pinning to a commit SHA (e.g. actions/checkout@<sha>) eliminates this risk. This is consistent with ci.yml's existing pattern, but the new workflow is a good opportunity to tighten things up.
| jobs: | ||
| build: | ||
| name: nix build (macOS) |
There was a problem hiding this comment.
Without a concurrency group, rapid successive pushes to master (or a PR with multiple force-pushes) can queue several macOS jobs simultaneously. macOS runners are the most expensive in GitHub Actions; cancelling in-progress runs when a newer one starts keeps costs down.
| jobs: | |
| build: | |
| name: nix build (macOS) | |
| concurrency: | |
| group: nix-${{ github.ref }} | |
| cancel-in-progress: true | |
| jobs: | |
| build: | |
| name: nix build (macOS) |
Note: If this suggestion doesn't match your team's coding style, reply to this and let me know. I'll remember it for next time!
nix-update can't bump this flake's cargoHash — it tracks a remote version the local working-tree src doesn't have. Add nix/refresh-cargo-hash.sh, which sets a fake hash, builds, and writes back the value Nix reports (the vendor FOD fails before gpui compiles, so it's fast). Point the package.nix comment at it; the nix.yml guard still catches a stale hash in CI and prints the correct one.
The nix.yml build computed a different vendor hash than the committed value — fetchCargoVendor isn't reproducible across environments here (same aarch64-darwin, same pinned nixpkgs, same Cargo.lock still differ). Use CI's value (it prints the one to use) so the guard goes green. Drop nix/refresh-cargo-hash.sh: it computes the hash locally, which can differ from CI's and would re-break the build. The cargoHash comment now points at the nix.yml log as the source of truth. Also restrict the nix.yml push trigger to master (drop main).
1 participant
Splits CI into two clearly-named workflows.
nix.yml(new — "Nix CI")Builds the flake's
.#openlogipackage onmacos-latest(nix build .#openlogi -L).cargoHashgoes stale wheneverCargo.lockchanges (dep bump, release version bump, or a gpui pin bump) — a stale hash fails the build. This catches it automatically instead of surprising the next release/nixpkgs bump. (We just hit exactly this: 0.4.0sha256-bY/…→ 0.4.1sha256-xtO1….)Cargo.lock,flake.*,nix/**, the committed.icns, the workflow itself), so it doesn't run on every Rust change — Rust CI covers those.ci.yml→ display name "Rust CI"Only the workflow's
name:changed (CI → Rust CI). Job names are unchanged, so any required status checks are unaffected; the file and its triggers stay the same.Uses
DeterminateSystems/nix-installer-action@v22(flakes on by default) +actions/checkout@v6.cargoHash maintenance (
nix/refresh-cargo-hash.sh)The flake builds the working tree (local
src), sonix-updatecan't refreshthe
cargoHash— it tracks a remote version a local src doesn't have. Addednix/refresh-cargo-hash.sh: it sets a fake hash, builds, and writes back thevalue Nix reports (the vendor FOD fails before gpui compiles, so it's fast).
The
nix.ymlbuild above is the fail-closed guard; this script is the one-command fix.Verified locally:
nix build .#openlogireports the committed cargoHash, and thescript round-trips to
cargoHash already up to date.Supersedes #133 (the remove-the-flake alternative) — keeping the flake with low-maintenance cargoHash instead of dropping it.