From 717606fb3349bd5f0b8c3641b1fd8e8eb0c3cef3 Mon Sep 17 00:00:00 2001 From: Luc Perkins Date: Mon, 22 Jun 2026 11:13:43 -0700 Subject: [PATCH 1/2] Decommission nixpkgs-fmt --- .github/workflows/ci.yml | 4 +- flake.lock | 32 ++++++------ flake.nix | 108 ++++++++++++++++++++++++--------------- nix/check.nix | 81 +++++++++++++++++------------ 4 files changed, 133 insertions(+), 92 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index e94d5b5..f9a432c 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -34,9 +34,9 @@ jobs: if: always() run: nix develop --command check-spelling - - name: Check nixpkgs-fmt formatting + - name: Check Nix formatting if: always() - run: nix develop --command check-nixpkgs-fmt + run: nix develop --command check-nix-fmt - name: Check rustfmt if: always() diff --git a/flake.lock b/flake.lock index 5d06c4c..66fe627 100644 --- a/flake.lock +++ b/flake.lock @@ -8,12 +8,12 @@ "rust-analyzer-src": "rust-analyzer-src" }, "locked": { - "lastModified": 1777624102, - "narHash": "sha256-thSyElkje577x/kAbP72nHlfiFc1a+tCudskLPHXe9s=", - "rev": "4d81601e0b73f20d81d066754ad0e7d1e7f75a06", - "revCount": 2646, + "lastModified": 1780314950, + "narHash": "sha256-1y6LHeumqA2lnUZap2yor+g4jMFtno5mx119LEv+dQQ=", + "rev": "8160d67d2693a1f7ea219db159ccdc29ae632918", + "revCount": 2677, "type": "tarball", - "url": "https://api.flakehub.com/f/pinned/nix-community/fenix/0.1.2646%2Brev-4d81601e0b73f20d81d066754ad0e7d1e7f75a06/019de2eb-4157-78e2-99a4-47e0ab7416f5/source.tar.gz" + "url": "https://api.flakehub.com/f/pinned/nix-community/fenix/0.1.2677%2Brev-8160d67d2693a1f7ea219db159ccdc29ae632918/019e8362-a4ed-7631-b2a4-06d3f14d5570/source.tar.gz" }, "original": { "type": "tarball", @@ -50,11 +50,11 @@ ] }, "locked": { - "lastModified": 1752689277, - "narHash": "sha256-uldUBFkZe/E7qbvxa3mH1ItrWZyT6w1dBKJQF/3ZSsc=", + "lastModified": 1781258734, + "narHash": "sha256-rfZT1gFztHDqA4gcFLO/Qv74bulhW/mXYqIHYTmc1lA=", "owner": "nix-community", "repo": "naersk", - "rev": "0e72363d0938b0208d6c646d10649164c43f4d64", + "rev": "3ddafa67a4c7d06483995c85c66a2d285b738833", "type": "github" }, "original": { @@ -65,12 +65,12 @@ }, "nixpkgs": { "locked": { - "lastModified": 1778003029, - "narHash": "sha256-q/nkKLDtHIyLjZpKhWk3cSK5IYsFqtMd6UtXF3ddjgA=", - "rev": "0c88e1f2bdb93d5999019e99cb0e61e1fe2af4c5", - "revCount": 912297, + "lastModified": 1781216227, + "narHash": "sha256-9mUW6gNwoN2SWc/l0fW4svPNOulXLl8ijqKyeSOGgJE=", + "rev": "a0374025a863d007d98e3297f6aa46cc3141c2f0", + "revCount": 1006238, "type": "tarball", - "url": "https://api.flakehub.com/f/pinned/NixOS/nixpkgs/0.2511.912297%2Brev-0c88e1f2bdb93d5999019e99cb0e61e1fe2af4c5/019dfbf4-87c2-7d91-9a98-ccf8f9b548eb/source.tar.gz" + "url": "https://api.flakehub.com/f/pinned/NixOS/nixpkgs/0.2605.1006238%2Brev-a0374025a863d007d98e3297f6aa46cc3141c2f0/019ec222-4173-7a63-9e83-5062b70a9018/source.tar.gz" }, "original": { "type": "tarball", @@ -87,11 +87,11 @@ "rust-analyzer-src": { "flake": false, "locked": { - "lastModified": 1777583169, - "narHash": "sha256-dVJ4+wrRKc8oIgp3rLOFSq1obt/sCKlXy3h47qof/w0=", + "lastModified": 1780260465, + "narHash": "sha256-yJIyzYb6LhvbVMmj2EH62Mt0JHU3pQefr+oPEgaoaI8=", "owner": "rust-lang", "repo": "rust-analyzer", - "rev": "aa64e4828a2bbba44463c1229a81c748d3cce583", + "rev": "c5d30e2331acb2cec913a086ab242591f4f367a5", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index 605cb7e..80a2669 100644 --- a/flake.nix +++ b/flake.nix @@ -16,39 +16,53 @@ }; outputs = - { self - , nixpkgs - , fenix - , naersk - , ... - } @ inputs: + { + self, + nixpkgs, + fenix, + naersk, + ... + }@inputs: let - supportedSystems = [ "x86_64-linux" "aarch64-linux" "aarch64-darwin" ]; + supportedSystems = [ + "x86_64-linux" + "aarch64-linux" + "aarch64-darwin" + ]; forAllSystems = f: nixpkgs.lib.genAttrs supportedSystems (system: (forSystem system f)); - forSystem = system: f: f rec { - inherit system; - pkgs = nixpkgs.legacyPackages.${system}; - lib = pkgs.lib; - }; + forSystem = + system: f: + f rec { + inherit system; + pkgs = nixpkgs.legacyPackages.${system}; + lib = pkgs.lib; + }; - fenixToolchain = system: with fenix.packages.${system}; - combine ([ - stable.clippy - stable.rustc - stable.cargo - stable.rustfmt - stable.rust-src - stable.rust-analyzer - ] ++ nixpkgs.lib.optionals (system == "x86_64-linux") [ - targets.x86_64-unknown-linux-musl.stable.rust-std - ] ++ nixpkgs.lib.optionals (system == "aarch64-linux") [ - targets.aarch64-unknown-linux-musl.stable.rust-std - ]); + fenixToolchain = + system: + with fenix.packages.${system}; + combine ( + [ + stable.clippy + stable.rustc + stable.cargo + stable.rustfmt + stable.rust-src + stable.rust-analyzer + ] + ++ nixpkgs.lib.optionals (system == "x86_64-linux") [ + targets.x86_64-unknown-linux-musl.stable.rust-std + ] + ++ nixpkgs.lib.optionals (system == "aarch64-linux") [ + targets.aarch64-unknown-linux-musl.stable.rust-std + ] + ); in { - devShells = forAllSystems ({ system, pkgs, ... }: + devShells = forAllSystems ( + { system, pkgs, ... }: let toolchain = fenixToolchain system; check = import ./nix/check.nix { inherit pkgs toolchain; }; @@ -58,10 +72,9 @@ default = pkgs.mkShell.override { stdenv = pkgs.clangStdenv; } { name = "detsys-ids-client-shell"; - RUST_SRC_PATH = "${toolchain}/lib/rustlib/src/rust/library"; + env.RUST_SRC_PATH = "${toolchain}/lib/rustlib/src/rust/library"; - nativeBuildInputs = with pkgs; [ ]; - buildInputs = with pkgs; [ + packages = with pkgs; [ toolchain cargo-outdated cacert @@ -69,18 +82,22 @@ cargo-watch cargo-nextest cargo-machete - nixpkgs-fmt + self.formatter.${system} check.check-rustfmt check.check-spelling - check.check-nixpkgs-fmt + check.check-nix-fmt check.check-editorconfig check.check-clippy libiconv ]; }; - }); + } + ); + + formatter = forAllSystems ({ pkgs, ... }: pkgs.nixfmt-tree); - checks = forAllSystems ({ system, pkgs, ... }: + checks = forAllSystems ( + { system, pkgs, ... }: let toolchain = fenixToolchain system; check = import ./nix/check.nix { inherit pkgs toolchain; }; @@ -96,16 +113,25 @@ check-spelling touch $out ''; - check-nixpkgs-fmt = pkgs.runCommand "check-nixpkgs-fmt" { buildInputs = [ check.check-nixpkgs-fmt ]; } '' - cd ${./.} - check-nixpkgs-fmt - touch $out - ''; - check-editorconfig = pkgs.runCommand "check-editorconfig" { buildInputs = [ pkgs.git check.check-editorconfig ]; } '' + check-nix-fmt = pkgs.runCommand "check-nix-fmt" { buildInputs = [ check.check-nix-fmt ]; } '' cd ${./.} - check-editorconfig + check-nix-fmt touch $out ''; - }); + check-editorconfig = + pkgs.runCommand "check-editorconfig" + { + buildInputs = [ + pkgs.git + check.check-editorconfig + ]; + } + '' + cd ${./.} + check-editorconfig + touch $out + ''; + } + ); }; } diff --git a/nix/check.nix b/nix/check.nix index a4f4df3..573abd8 100644 --- a/nix/check.nix +++ b/nix/check.nix @@ -6,46 +6,61 @@ in { # Format - check-rustfmt = (writeShellApplication { - name = "check-rustfmt"; - runtimeInputs = [ toolchain ]; - text = "cargo fmt --check"; - }); + check-rustfmt = ( + writeShellApplication { + name = "check-rustfmt"; + runtimeInputs = [ toolchain ]; + text = "cargo fmt --check"; + } + ); # Spelling - check-spelling = (writeShellApplication { - name = "check-spelling"; - runtimeInputs = with pkgs; [ git typos ]; - text = '' - typos - ''; - }); + check-spelling = ( + writeShellApplication { + name = "check-spelling"; + runtimeInputs = with pkgs; [ + git + typos + ]; + text = '' + typos + ''; + } + ); # NixFormatting - check-nixpkgs-fmt = (writeShellApplication { - name = "check-nixpkgs-fmt"; - runtimeInputs = with pkgs; [ git nixpkgs-fmt findutils ]; - text = '' - nixpkgs-fmt --check . - ''; - }); + check-nix-fmt = ( + writeShellApplication { + name = "check-nix-fmt"; + runtimeInputs = with pkgs; [ + nixfmt-tree + ]; + text = '' + treefmt --ci + ''; + } + ); # EditorConfig - check-editorconfig = (writeShellApplication { - name = "check-editorconfig"; - runtimeInputs = with pkgs; [ eclint ]; - text = '' - eclint . - ''; - }); + check-editorconfig = ( + writeShellApplication { + name = "check-editorconfig"; + runtimeInputs = with pkgs; [ eclint ]; + text = '' + eclint . + ''; + } + ); # Clippy - check-clippy = (writeShellApplication { - name = "check-clippy"; - runtimeInputs = [ toolchain ]; - text = '' - cargo clippy --all-features --all-targets -- -D warnings - ''; - }); + check-clippy = ( + writeShellApplication { + name = "check-clippy"; + runtimeInputs = [ toolchain ]; + text = '' + cargo clippy --all-features --all-targets -- -D warnings + ''; + } + ); } From 560ed68ffe88a93a1b7c8a8dad0dcbc4f3e13646 Mon Sep 17 00:00:00 2001 From: Luc Perkins Date: Mon, 22 Jun 2026 12:08:34 -0700 Subject: [PATCH 2/2] Provide GitHub Actions pinning --- .github/dependabot.yml | 25 ++++++++++++++++--------- .github/workflows/ci.yml | 8 +++++++- .github/workflows/publish.yml | 6 ++++-- .github/zizmor.yml | 5 +++++ flake.nix | 1 + 5 files changed, 33 insertions(+), 12 deletions(-) create mode 100644 .github/zizmor.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml index de62de7..223ea9f 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -1,18 +1,25 @@ version: 2 updates: - - package-ecosystem: "github-actions" - directory: "/" + - package-ecosystem: github-actions + directory: / schedule: - interval: "weekly" + interval: weekly + cooldown: + default-days: 7 groups: - actions-deps: - patterns: - - "*" + actions: + patterns: ["*"] + ignore: + - dependency-name: DeterminateSystems/* + commit-message: + prefix: ci - - package-ecosystem: "cargo" - directory: "/" + - package-ecosystem: cargo + directory: / schedule: - interval: "weekly" + interval: weekly + cooldown: + default-days: 7 groups: cargo-deps: patterns: diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index f9a432c..98f3266 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -19,13 +19,19 @@ jobs: contents: read id-token: write steps: - - uses: actions/checkout@v7 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 + with: + persist-credentials: false - uses: DeterminateSystems/nix-installer-action@main - uses: DeterminateSystems/flakehub-cache-action@main - name: Check Nixpkgs input uses: DeterminateSystems/flake-checker-action@main + - name: Lint GitHub Actions + if: always() + run: nix develop --command zizmor .github + - name: Check EditorConfig conformance if: always() run: nix develop --command check-editorconfig diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 9f73de1..1703b70 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -9,8 +9,10 @@ jobs: permissions: id-token: write # Required for OIDC token exchange steps: - - uses: actions/checkout@v7 - - uses: rust-lang/crates-io-auth-action@v1 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 + with: + persist-credentials: false + - uses: rust-lang/crates-io-auth-action@c6f97d42243bad5fab37ca0427f495c86d5b1a18 # v1.0.5 id: auth - run: cargo publish env: diff --git a/.github/zizmor.yml b/.github/zizmor.yml new file mode 100644 index 0000000..abdc40b --- /dev/null +++ b/.github/zizmor.yml @@ -0,0 +1,5 @@ +rules: + unpinned-uses: + config: + policies: + DeterminateSystems/*: ref-pin diff --git a/flake.nix b/flake.nix index 80a2669..231910f 100644 --- a/flake.nix +++ b/flake.nix @@ -82,6 +82,7 @@ cargo-watch cargo-nextest cargo-machete + zizmor self.formatter.${system} check.check-rustfmt check.check-spelling