From a429a2a0bfa19617a87d196f90163b89eb898272 Mon Sep 17 00:00:00 2001
From: ethernet <arilotter@gmail.com>
Date: Fri, 29 May 2026 10:20:40 -0400
Subject: [PATCH] ci(nix): fold package+devShell builds into flake check
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Add build-package and build-devshell as cross-platform check
derivations so nix flake check verifies the default package and
devShell build on every platform (including darwin, which previously
only did eval-only checks).

This lets us drop the separate nix build step from the CI workflow
and removes the macOS-only eval fallback — a single nix flake check
now covers builds + runtime checks on all runners.
---
 .github/workflows/nix.yml | 28 ++++++++--------------------
 nix/checks.nix            | 16 ++++++++++++++++
 2 files changed, 24 insertions(+), 20 deletions(-)

diff --git a/.github/workflows/nix.yml b/.github/workflows/nix.yml
index 9cb3171ae..b6590f0a0 100644
--- a/.github/workflows/nix.yml
+++ b/.github/workflows/nix.yml
@@ -37,23 +37,16 @@ jobs:
 
       - name: Check flake
         id: flake
-        if: runner.os == 'Linux'
         continue-on-error: true
         run: nix flake check --print-build-logs
 
-      - name: Build package
-        id: build
-        if: runner.os == 'Linux'
-        continue-on-error: true
-        run: nix build --print-build-logs
-
-      # When the real Nix build fails, run a targeted diagnostic to see if
+      # When the flake check fails, run a targeted diagnostic to see if
       # the failure is specifically a stale npm lockfile hash in one of the
       # known npm subpackages (tui / web).  This avoids surfacing a generic
       # "build failed" message when the fix is a single known command.
       - name: Diagnose npm lockfile hashes
         id: hash_check
-        if: (steps.flake.outcome == 'failure' || steps.build.outcome == 'failure') && runner.os == 'Linux'
+        if: steps.flake.outcome == 'failure' && runner.os == 'Linux'
         continue-on-error: true
         env:
           LINK_SHA: ${{ steps.sha.outputs.full }}
@@ -88,30 +81,25 @@ jobs:
             - Or [run the Nix Lockfile Fix workflow](${{ github.server_url }}/${{ github.repository }}/actions/workflows/nix-lockfile-fix.yml) manually (pass PR `#${{ github.event.pull_request.number }}`)
             - Or locally: `nix run .#fix-lockfiles` and commit the diff
 
-      # Clear the sticky comment when either the build passed outright (no
+      # Clear the sticky comment when either the flake check passed outright (no
       # hash check needed) or the hash check explicitly returned stale=false
-      # (build failed for a non-hash reason).
+      # (check failed for a non-hash reason).
       - name: Clear sticky PR comment (resolved)
         if: |
           github.event_name == 'pull_request' &&
-          runner.os == 'Linux' &&
           (steps.hash_check.outputs.stale == 'false' ||
-           (steps.flake.outcome == 'success' && steps.build.outcome == 'success'))
+           steps.flake.outcome == 'success')
         uses: marocchino/sticky-pull-request-comment@52423e01640425a022ef5fd42c6fb5f633a02728  # v2.9.1
         with:
           header: nix-lockfile-check
           delete: true
 
-      - name: Final fail if build or flake failed
-        if: steps.flake.outcome == 'failure' || steps.build.outcome == 'failure'
+      - name: Final fail if flake check failed
+        if: steps.flake.outcome == 'failure'
         run: |
           if [ "${{ steps.hash_check.outputs.stale }}" == "true" ]; then
             echo "::error::Nix build failed due to stale npm lockfile hash. Run: nix run .#fix-lockfiles"
           else
-            echo "::error::Nix build/flake check failed. See logs above."
+            echo "::error::Nix flake check failed. See logs above."
           fi
           exit 1
-
-      - name: Evaluate flake (macOS)
-        if: runner.os == 'macOS'
-        run: nix flake show --json > /dev/null
diff --git a/nix/checks.nix b/nix/checks.nix
index e847ef26c..63ec1eb67 100644
--- a/nix/checks.nix
+++ b/nix/checks.nix
@@ -58,6 +58,22 @@ json.dump(sorted(leaf_paths(DEFAULT_CONFIG)), sys.stdout, indent=2)
             echo "ok" > $out/result
           ''
         );
+
+        # Verify the default package builds successfully (cross-platform).
+        # On Linux the runtime checks below already depend on the package,
+        # but this ensures darwin builders also build it during flake check.
+        build-package = pkgs.runCommand "hermes-build-package" { } ''
+          echo "PASS: package built at ${hermes-agent}"
+          mkdir -p $out
+          echo "ok" > $out/result
+        '';
+
+        # Verify the devShell builds successfully (cross-platform).
+        build-devshell = pkgs.runCommand "hermes-build-devshell" { } ''
+          echo "PASS: devShell built at ${self'.devShells.default}"
+          mkdir -p $out
+          echo "ok" > $out/result
+        '';
       } // lib.optionalAttrs pkgs.stdenv.hostPlatform.isLinux {
         # Verify binaries exist and are executable
         package-contents = pkgs.runCommand "hermes-package-contents" { } ''