Skip to content

git hooks for all (repos) #93

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
0xgleb wants to merge 11 commits into
base: main
Choose a base branch
from
Open

git hooks for all (repos) #93

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
11 commits
Select commit Hold shift + click to select a range
ffad04a
git hooks for all repos
0xgleb Oct 16, 2025
11ff3bf
run flake check in ci
0xgleb Oct 16, 2025
b0a6b4e
--impure
0xgleb Oct 16, 2025
03b0c9d
no --check in cargo fmt
0xgleb Oct 17, 2025
2b6b008
fix cargo fmt
0xgleb Oct 17, 2025
fc4a7b5
fix prettier
0xgleb Dec 12, 2025
89c4aaf
conditional eslint and prettier hooks
0xgleb Dec 12, 2025
49c4a3e
revert broken eslint and prettier hooks
0xgleb Dec 12, 2025
6e14de5
ignore bun.nix in deadnix
0xgleb Jan 29, 2026
27cee37
Merge branch 'main' into feat/git-hooks
0xgleb Mar 10, 2026
2315977
nix flake update
0xgleb Mar 10, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 6 additions & 10 deletions .github/workflows/check-shell.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,22 +1,18 @@
name: Rainix CI check shell
on: [push]

jobs:
rainix-check-shell:
strategy:
matrix:
os: [
ubuntu-latest,
# intel mac
macos-13,
# apple silicon
macos-latest,
]
os: [ubuntu-latest,
# intel mac
macos-13,
# apple silicon
macos-latest]
fail-fast: false
runs-on: ${{ matrix.os }}
steps:
- uses: actions/checkout@v4

- uses: nixbuild/nix-quick-install-action@v30
with:
nix_conf: |
Expand All @@ -33,7 +29,7 @@ jobs:
# before trying to save a new cache
# 1G = 1073741824
gc-max-store-size-linux: 1G

- run: NIXPKGS_ALLOW_INSECURE=1 nix flake check --impure
Copy link

@coderabbitai coderabbitai bot Nov 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

Verify the necessity of NIXPKGS_ALLOW_INSECURE=1.

The --impure flag is appropriate for validating git hooks that interact with local git state. However, NIXPKGS_ALLOW_INSECURE=1 allows Nix to use packages marked as insecure, which could expose CI to vulnerable dependencies.

Please verify:

  1. Is this environment variable actually required for the flake check to pass?
  2. If so, which specific package(s) require it?
  3. Consider using a more targeted approach by allowing specific insecure packages with permittedInsecurePackages in Nix configuration instead of a blanket permission

Run the following to identify which packages require the insecure flag:

🏁 Script executed:

#!/bin/bash
# Remove NIXPKGS_ALLOW_INSECURE and see which packages fail
nix flake check --impure 2>&1 | grep -i "insecure\|vulnerable" || echo "No insecure packages detected"

Length of output: 29

Remove the unnecessary NIXPKGS_ALLOW_INSECURE=1 flag from line 32.

The verification confirms that the flake check passes without this flag, as no insecure packages are detected. Removing it improves CI security by eliminating unnecessary vulnerability exposure.

Change line 32 from:

      - run: NIXPKGS_ALLOW_INSECURE=1 nix flake check --impure

To:

      - run: nix flake check --impure
🤖 Prompt for AI Agents 
.github/workflows/check-shell.yml around line 32: the workflow sets
NIXPKGS_ALLOW_INSECURE=1 when running nix flake check, which is unnecessary and
weakens CI security; remove the environment variable so the step runs simply as
"run: nix flake check --impure" (update the line to remove the
NIXPKGS_ALLOW_INSECURE=1 prefix).

- run: nix develop --command cargo release --version
- run: nix develop --command flamegraph --help
- run: nix develop --command graph --version
Expand Down
1 change: 0 additions & 1 deletion .github/workflows/pr-assessment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,6 @@ on:
pull_request:
types:
- closed

jobs:
assess-pr-size-on-merge:
uses: rainlanguage/github-chore/.github/workflows/pr-assessment.yml@main
Expand Down
3 changes: 0 additions & 3 deletions .github/workflows/test.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,5 @@
name: Rainix CI
on: [push]

jobs:
rainix:
strategy:
Expand Down Expand Up @@ -29,7 +28,6 @@ jobs:
working-directory: test/fixture
steps:
- uses: actions/checkout@v4

- uses: nixbuild/nix-quick-install-action@v30
with:
nix_conf: |
Expand All @@ -46,7 +44,6 @@ jobs:
# before trying to save a new cache
# 1G = 1073741824
gc-max-store-size-linux: 1G

- run: nix run ../..#rainix-sol-prelude
- run: nix run ../..#rainix-rs-prelude
- name: Run ${{ matrix.task }}
Expand Down
3 changes: 2 additions & 1 deletion .gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,2 +1,3 @@
result
.env
.env
.pre-commit-config.yaml
8 changes: 4 additions & 4 deletions .vscode/extensions.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
{
"recommendations": [
"jnoortheen.nix-ide"
]
}
"recommendations": [
"jnoortheen.nix-ide"
]
}
2 changes: 1 addition & 1 deletion REUSE.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ path = [
"REUSE.toml",
".github/**/",
".vscode/**/",
"test/**/"
"test/**/",
]
SPDX-FileCopyrightText = "Copyright (c) 2020 thedavidmeister"
SPDX-License-Identifier = "LicenseRef-DCL-1.0"
120 changes: 97 additions & 23 deletions flake.lock
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Loading
Loading