diff --git a/.github/workflows/nix.yml b/.github/workflows/nix.yml index 9cb3171ae..b6590f0a0 100644 --- a/.github/workflows/nix.yml +++ b/.github/workflows/nix.yml @@ -37,23 +37,16 @@ jobs: - name: Check flake id: flake - if: runner.os == 'Linux' continue-on-error: true run: nix flake check --print-build-logs - - name: Build package - id: build - if: runner.os == 'Linux' - continue-on-error: true - run: nix build --print-build-logs - - # When the real Nix build fails, run a targeted diagnostic to see if + # When the flake check fails, run a targeted diagnostic to see if # the failure is specifically a stale npm lockfile hash in one of the # known npm subpackages (tui / web). This avoids surfacing a generic # "build failed" message when the fix is a single known command. - name: Diagnose npm lockfile hashes id: hash_check - if: (steps.flake.outcome == 'failure' || steps.build.outcome == 'failure') && runner.os == 'Linux' + if: steps.flake.outcome == 'failure' && runner.os == 'Linux' continue-on-error: true env: LINK_SHA: ${{ steps.sha.outputs.full }} @@ -88,30 +81,25 @@ jobs: - Or [run the Nix Lockfile Fix workflow](${{ github.server_url }}/${{ github.repository }}/actions/workflows/nix-lockfile-fix.yml) manually (pass PR `#${{ github.event.pull_request.number }}`) - Or locally: `nix run .#fix-lockfiles` and commit the diff - # Clear the sticky comment when either the build passed outright (no + # Clear the sticky comment when either the flake check passed outright (no # hash check needed) or the hash check explicitly returned stale=false - # (build failed for a non-hash reason). + # (check failed for a non-hash reason). - name: Clear sticky PR comment (resolved) if: | github.event_name == 'pull_request' && - runner.os == 'Linux' && (steps.hash_check.outputs.stale == 'false' || - (steps.flake.outcome == 'success' && steps.build.outcome == 'success')) + steps.flake.outcome == 'success') uses: marocchino/sticky-pull-request-comment@52423e01640425a022ef5fd42c6fb5f633a02728 # v2.9.1 with: header: nix-lockfile-check delete: true - - name: Final fail if build or flake failed - if: steps.flake.outcome == 'failure' || steps.build.outcome == 'failure' + - name: Final fail if flake check failed + if: steps.flake.outcome == 'failure' run: | if [ "${{ steps.hash_check.outputs.stale }}" == "true" ]; then echo "::error::Nix build failed due to stale npm lockfile hash. Run: nix run .#fix-lockfiles" else - echo "::error::Nix build/flake check failed. See logs above." + echo "::error::Nix flake check failed. See logs above." fi exit 1 - - - name: Evaluate flake (macOS) - if: runner.os == 'macOS' - run: nix flake show --json > /dev/null diff --git a/nix/checks.nix b/nix/checks.nix index e847ef26c..63ec1eb67 100644 --- a/nix/checks.nix +++ b/nix/checks.nix @@ -58,6 +58,22 @@ json.dump(sorted(leaf_paths(DEFAULT_CONFIG)), sys.stdout, indent=2) echo "ok" > $out/result '' ); + + # Verify the default package builds successfully (cross-platform). + # On Linux the runtime checks below already depend on the package, + # but this ensures darwin builders also build it during flake check. + build-package = pkgs.runCommand "hermes-build-package" { } '' + echo "PASS: package built at ${hermes-agent}" + mkdir -p $out + echo "ok" > $out/result + ''; + + # Verify the devShell builds successfully (cross-platform). + build-devshell = pkgs.runCommand "hermes-build-devshell" { } '' + echo "PASS: devShell built at ${self'.devShells.default}" + mkdir -p $out + echo "ok" > $out/result + ''; } // lib.optionalAttrs pkgs.stdenv.hostPlatform.isLinux { # Verify binaries exist and are executable package-contents = pkgs.runCommand "hermes-package-contents" { } ''