Skip to content

Commit e214da0

Browse files
ryoppippiryoppippi
committed
feat(nix): add flake checks for CI validation
Consolidate all CI checks into nix flake check for unified validation: - formatting: treefmt check (nixfmt, ruff-check, ruff-format, oxfmt) - gitleaks: secret detection - uv-lock: verify lockfile is up to date - ty: type checking with Python 3.13 - pytest: test suite execution All checks use --locked flag to ensure lockfile consistency and pin Python to 3.13 for compatibility with dependencies like onnxruntime.
1 parent c53a85d commit e214da0

File tree

1 file changed

+103
-0
lines changed

1 file changed

+103
-0
lines changed

flake.nix

Lines changed: 103 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -80,6 +80,109 @@
8080
{
8181
formatter = treefmtEval.config.build.wrapper;
8282

83+
checks = {
84+
formatting = treefmtEval.config.build.check ./.;
85+
86+
gitleaks =
87+
pkgs.runCommand "check-gitleaks"
88+
{
89+
nativeBuildInputs = [ pkgs.gitleaks ];
90+
src = pkgs.lib.fileset.toSource {
91+
root = ./.;
92+
fileset = pkgs.lib.fileset.gitTracked ./.;
93+
};
94+
}
95+
''
96+
cd $src
97+
gitleaks detect --source . --config .gitleaks.toml --no-git
98+
touch $out
99+
'';
100+
101+
uv-lock =
102+
pkgs.runCommand "check-uv-lock"
103+
{
104+
nativeBuildInputs = [
105+
pkgs.uv
106+
pkgs.cacert
107+
];
108+
src = pkgs.lib.fileset.toSource {
109+
root = ./.;
110+
fileset = pkgs.lib.fileset.gitTracked ./.;
111+
};
112+
SSL_CERT_FILE = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt";
113+
}
114+
''
115+
cd $src
116+
export HOME=$(mktemp -d)
117+
uv lock --check
118+
touch $out
119+
'';
120+
121+
ty =
122+
pkgs.runCommand "check-ty"
123+
{
124+
nativeBuildInputs = [
125+
pkgs.ty
126+
pkgs.uv
127+
pkgs.python313
128+
pkgs.cacert
129+
];
130+
src = pkgs.lib.fileset.toSource {
131+
root = ./.;
132+
fileset = pkgs.lib.fileset.gitTracked ./.;
133+
};
134+
SSL_CERT_FILE = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt";
135+
}
136+
''
137+
cp -r $src/. ./workdir
138+
chmod -R u+w ./workdir
139+
cd ./workdir
140+
141+
export HOME=$(mktemp -d)
142+
export UV_LINK_MODE=copy
143+
144+
uv sync --all-extras --locked --python ${pkgs.python313}/bin/python3.13
145+
uv run ty check stackone_ai
146+
touch $out
147+
'';
148+
149+
pytest =
150+
pkgs.runCommand "check-pytest"
151+
{
152+
nativeBuildInputs = [
153+
pkgs.uv
154+
pkgs.python313
155+
pkgs.bun
156+
pkgs.pnpm_10
157+
pkgs.typescript-go
158+
pkgs.git
159+
pkgs.cacert
160+
];
161+
src = pkgs.lib.fileset.toSource {
162+
root = ./.;
163+
fileset = pkgs.lib.fileset.gitTracked ./.;
164+
};
165+
SSL_CERT_FILE = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt";
166+
}
167+
''
168+
cp -r $src/. ./workdir
169+
chmod -R u+w ./workdir
170+
cd ./workdir
171+
172+
export HOME=$(mktemp -d)
173+
export UV_LINK_MODE=copy
174+
175+
# Initialize git submodules
176+
git init
177+
git submodule update --init --recursive || true
178+
179+
# Install dependencies and run tests
180+
uv sync --all-extras --locked --python ${pkgs.python313}/bin/python3.13
181+
uv run pytest
182+
touch $out
183+
'';
184+
};
185+
83186
devShells.default = pkgs.mkShellNoCC {
84187
buildInputs = with pkgs; [
85188
uv

0 commit comments

Comments
 (0)