From ae7175efca3be667d0960264d743b0acb6b76684 Mon Sep 17 00:00:00 2001 From: Eden Reich Date: Wed, 13 May 2026 19:26:42 +0200 Subject: [PATCH 1/4] feat(nix): Replace standalone package.nix with flake.nix MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Adds a flake.nix at the repo root and removes the standalone nix/package.nix in favor of it. This lets downstream users install infer via flake refs from any Nix-based toolchain — most notably as a Flox manifest entry: [install] infer.flake = "github:inference-gateway/cli" Also runnable directly: `nix run github:inference-gateway/cli`. The flake derivation is functionally equivalent to the previous nix/package.nix (same buildGoModule shape, proxyVendor, darwin SwiftUI helper preBuild, shell completions) but builds from `self` rather than fetchFromGitHub, so consumers always get the exact ref they pin. CI workflows migrated: - nix-build.yml: path filter, build command, and lint targets switched to flake.nix / `nix build .#infer` / `nix flake check --all-systems`. - nix-version-sync.yml: dropped the source-hash step (no longer needed since the flake builds from `self`); now bumps only `version` and `vendorHash` in flake.nix. --- .github/workflows/nix-build.yml | 18 ++- .github/workflows/nix-version-sync.yml | 63 +++----- flake.lock | 61 ++++++++ flake.nix | 146 ++++++++++++++++++ nix/README.md | 206 ------------------------- nix/default.nix | 6 - nix/nixpkgs-submission/README.md | 46 ------ nix/package.nix | 99 ------------ nix/update-hashes.sh | 150 ------------------ 9 files changed, 239 insertions(+), 556 deletions(-) create mode 100644 flake.lock create mode 100644 flake.nix delete mode 100644 nix/README.md delete mode 100644 nix/default.nix delete mode 100644 nix/nixpkgs-submission/README.md delete mode 100644 nix/package.nix delete mode 100755 nix/update-hashes.sh diff --git a/.github/workflows/nix-build.yml b/.github/workflows/nix-build.yml index 0e334de7..0837cd0f 100644 --- a/.github/workflows/nix-build.yml +++ b/.github/workflows/nix-build.yml @@ -9,13 +9,15 @@ on: branches: - main paths: - - 'nix/**' + - 'flake.nix' + - 'flake.lock' - '.github/workflows/nix-build.yml' push: branches: - main paths: - - 'nix/**' + - 'flake.nix' + - 'flake.lock' - '.github/workflows/nix-build.yml' workflow_dispatch: @@ -53,7 +55,7 @@ jobs: - name: Build with Nix run: | - nix-build nix/default.nix --show-trace + nix build .#infer --show-trace --print-build-logs - name: Verify binary run: | @@ -93,15 +95,15 @@ jobs: - name: Check Nix formatting (nixfmt-rfc-style) run: | - nix-shell -p nixfmt-rfc-style --run "nixfmt --check nix/package.nix nix/default.nix" + nix-shell -p nixfmt-rfc-style --run "nixfmt --check flake.nix" - name: Lint with statix run: | - nix-shell -p statix --run "statix check nix/" + nix-shell -p statix --run "statix check flake.nix" - - name: Evaluate Nix expression + - name: Check flake evaluates on all systems run: | - nix-instantiate --eval --strict nix/default.nix --show-trace + nix flake check --all-systems --no-build --show-trace summary: name: Build Summary @@ -124,4 +126,4 @@ jobs: exit 1 fi - echo "✅ All Nix build checks passed!" + echo "All Nix build checks passed!" diff --git a/.github/workflows/nix-version-sync.yml b/.github/workflows/nix-version-sync.yml index eb04f674..0f0d45f7 100644 --- a/.github/workflows/nix-version-sync.yml +++ b/.github/workflows/nix-version-sync.yml @@ -17,7 +17,7 @@ permissions: jobs: update-nix-version: - name: Update Nix package version + name: Update Nix flake version runs-on: ubuntu-24.04 steps: @@ -49,37 +49,20 @@ jobs: echo "version=$VERSION" >> $GITHUB_OUTPUT echo "Version to sync: $VERSION" - - name: Calculate source hash - id: source-hash + - name: Update version in flake.nix run: | VERSION="${{ steps.version.outputs.version }}" - URL="https://github.com/inference-gateway/cli/archive/refs/tags/v${VERSION}.tar.gz" - - echo "Downloading source from: $URL" - # nix-prefetch-url emits a nix-base32 hash; convert to SRI (base64) - # because that's what fetchFromGitHub's `hash` attribute expects. - NIX32_HASH=$(nix-prefetch-url --unpack "$URL") - SRI_HASH=$(nix-hash --to-sri --type sha256 "$NIX32_HASH") - # Strip the "sha256-" prefix so the consumer can prepend it consistently. - HASH="${SRI_HASH#sha256-}" - echo "Source hash: sha256-$HASH" - echo "hash=$HASH" >> $GITHUB_OUTPUT - - - name: Update version in Nix expression - run: | - VERSION="${{ steps.version.outputs.version }}" - HASH="${{ steps.source-hash.outputs.hash }}" - sed -i "s/version = \"[0-9.]*\";/version = \"$VERSION\";/" nix/package.nix - sed -i "s|hash = \"sha256-[A-Za-z0-9+/=]*\";|hash = \"sha256-$HASH\";|" nix/package.nix - echo "Updated nix/package.nix with version $VERSION" - cat nix/package.nix | grep -A2 "version =" + sed -i "s/version = \"[0-9.]*\";/version = \"$VERSION\";/" flake.nix + echo "Updated flake.nix with version $VERSION" + grep -n 'version = "' flake.nix | head -1 - name: Calculate vendor hash id: vendor-hash run: | echo "Attempting build to calculate vendorHash..." - sed -i 's|vendorHash = "sha256-[A-Za-z0-9+/=]*";|vendorHash = "";|' nix/package.nix - BUILD_OUTPUT=$(nix-build nix/default.nix 2>&1 || true) + # Use a fake hash to force Nix to report the real one in the error. + sed -i 's|vendorHash = "sha256-[A-Za-z0-9+/=]*";|vendorHash = lib.fakeHash;|' flake.nix + BUILD_OUTPUT=$(nix build .#infer --show-trace 2>&1 || true) # `got: sha256-=` is already SRI-formatted in the build error, # so we just capture it verbatim. VENDOR_HASH=$(echo "$BUILD_OUTPUT" | grep -oP "got:\s+sha256-\K[A-Za-z0-9+/=]+" | head -1) @@ -93,39 +76,38 @@ jobs: echo "Vendor hash: sha256-$VENDOR_HASH" echo "hash=$VENDOR_HASH" >> $GITHUB_OUTPUT - - name: Update vendor hash in Nix expression + - name: Update vendor hash in flake.nix run: | VENDOR_HASH="${{ steps.vendor-hash.outputs.hash }}" - sed -i "s|vendorHash = \"[^\"]*\";|vendorHash = \"sha256-$VENDOR_HASH\";|" nix/package.nix - echo "Updated vendorHash in nix/package.nix" + sed -i "s|vendorHash = lib.fakeHash;|vendorHash = \"sha256-$VENDOR_HASH\";|" flake.nix + echo "Updated vendorHash in flake.nix" - name: Format Nix file run: | - nix-shell -p nixfmt-rfc-style --run "nixfmt nix/package.nix" + nix-shell -p nixfmt-rfc-style --run "nixfmt flake.nix" - name: Create Pull Request uses: peter-evans/create-pull-request@v8.1.1 with: token: ${{ secrets.GITHUB_TOKEN }} - commit-message: 'chore(nix): Update package to v${{ steps.version.outputs.version }}' - title: 'chore(nix): Update package to v${{ steps.version.outputs.version }}' + commit-message: 'chore(nix): Update flake to v${{ steps.version.outputs.version }}' + title: 'chore(nix): Update flake to v${{ steps.version.outputs.version }}' body: | - ## Automated Nix Package Update + ## Automated Nix Flake Update - This PR updates the Nix package expression to version **${{ steps.version.outputs.version }}**. + This PR updates the Nix flake to version **${{ steps.version.outputs.version }}**. ### Changes - - ✅ Updated `version` to `${{ steps.version.outputs.version }}` - - ✅ Updated source `hash` to `sha256-${{ steps.source-hash.outputs.hash }}` - - ✅ Updated `vendorHash` to `sha256-${{ steps.vendor-hash.outputs.hash }}` - - ✅ Formatted with nixfmt-rfc-style + - Updated `version` to `${{ steps.version.outputs.version }}` + - Updated `vendorHash` to `sha256-${{ steps.vendor-hash.outputs.hash }}` + - Formatted with nixfmt-rfc-style The `Nix Build Verification` workflow runs on this PR and is the authoritative gate for verifying the updated hashes build cleanly. ### Verification ```bash - nix-build nix/default.nix + nix build .#infer result/bin/infer version ``` @@ -133,7 +115,7 @@ jobs: - Release: ${{ github.event.release.html_url || 'Manual trigger' }} --- - 🤖 Auto-generated by `.github/workflows/nix-version-sync.yml` + Auto-generated by `.github/workflows/nix-version-sync.yml` branch: chore/nix-update-v${{ steps.version.outputs.version }} delete-branch: true labels: | @@ -143,10 +125,9 @@ jobs: - name: Summary run: | - echo "## ✅ Nix Package Updated" >> $GITHUB_STEP_SUMMARY + echo "## Nix Flake Updated" >> $GITHUB_STEP_SUMMARY echo "" >> $GITHUB_STEP_SUMMARY echo "- **Version**: ${{ steps.version.outputs.version }}" >> $GITHUB_STEP_SUMMARY - echo "- **Source Hash**: sha256-${{ steps.source-hash.outputs.hash }}" >> $GITHUB_STEP_SUMMARY echo "- **Vendor Hash**: sha256-${{ steps.vendor-hash.outputs.hash }}" >> $GITHUB_STEP_SUMMARY echo "" >> $GITHUB_STEP_SUMMARY echo "A pull request has been created to merge these changes." >> $GITHUB_STEP_SUMMARY diff --git a/flake.lock b/flake.lock new file mode 100644 index 00000000..6da30234 --- /dev/null +++ b/flake.lock @@ -0,0 +1,61 @@ +{ + "nodes": { + "flake-utils": { + "inputs": { + "systems": "systems" + }, + "locked": { + "lastModified": 1731533236, + "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "nixpkgs": { + "locked": { + "lastModified": 1778580735, + "narHash": "sha256-t+8AVV8ExvOmslz2sLIgw/hJBKlyl65rJvxjvvjHgpE=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "48d91f2c0ce7b9e589f967d4f685153dd765dcdd", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "root": { + "inputs": { + "flake-utils": "flake-utils", + "nixpkgs": "nixpkgs" + } + }, + "systems": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/flake.nix b/flake.nix new file mode 100644 index 00000000..1a297add --- /dev/null +++ b/flake.nix @@ -0,0 +1,146 @@ +{ + description = "Inference Gateway CLI - infer"; + + inputs = { + nixpkgs.url = "github:NixOS/nixpkgs/nixpkgs-unstable"; + flake-utils.url = "github:numtide/flake-utils"; + }; + + outputs = + { + self, + nixpkgs, + flake-utils, + }: + flake-utils.lib.eachDefaultSystem ( + system: + let + pkgs = import nixpkgs { inherit system; }; + inherit (pkgs) lib stdenv; + + version = "0.109.3"; + + infer = pkgs.buildGoModule (finalAttrs: { + __structuredAttrs = true; + + pname = "infer"; + inherit version; + + src = lib.cleanSourceWith { + src = ./.; + filter = + path: type: + let + baseName = baseNameOf (toString path); + relPath = lib.removePrefix (toString ./. + "/") (toString path); + in + !( + baseName == ".git" + || baseName == "dist" + || baseName == "result" + || baseName == ".flox" + || baseName == ".infer" + || baseName == ".task" + || baseName == "node_modules" + || (type == "regular" && relPath == "infer") + || (type == "directory" && lib.hasPrefix "internal/display/macos/ComputerUse/build" relPath) + ); + }; + + vendorHash = "sha256-+ntde+NYik4gEicMlyonBAE+gkHoYYiw3G0dbQ/gX2I="; + + proxyVendor = true; + + env.CGO_ENABLED = if stdenv.hostPlatform.isDarwin then "1" else "0"; + + ldflags = [ + "-s" + "-w" + "-X=github.com/inference-gateway/cli/cmd.version=${version}" + "-X=github.com/inference-gateway/cli/cmd.commit=${self.shortRev or "dirty"}" + ]; + + preCheck = '' + export HOME=$TMPDIR + ''; + + checkFlags = [ + "-skip=TestIntegration" + ]; + + nativeBuildInputs = [ + pkgs.installShellFiles + ] + ++ lib.optionals stdenv.hostPlatform.isDarwin [ pkgs.swift ]; + + buildInputs = lib.optionals stdenv.hostPlatform.isDarwin [ pkgs.apple-sdk ]; + + preBuild = lib.optionalString stdenv.hostPlatform.isDarwin '' + export SDKROOT="${pkgs.apple-sdk}/Platforms/MacOSX.platform/Developer/SDKs/MacOSX.sdk" + pushd internal/display/macos/ComputerUse > /dev/null + bash ./build.sh + popd > /dev/null + ''; + + postInstall = '' + if [ -f $out/bin/cli ]; then + mv $out/bin/cli $out/bin/infer + fi + + installShellCompletion --cmd infer \ + --bash <($out/bin/infer completion bash) \ + --fish <($out/bin/infer completion fish) \ + --zsh <($out/bin/infer completion zsh) + ''; + + meta = { + description = "Command-line interface for the Inference Gateway - AI model interaction manager"; + longDescription = '' + The Inference Gateway CLI is a command-line tool for managing AI model interactions. + It provides interactive chat, autonomous agent execution, and extensive tool + integration for LLMs, with support for both the MCP and A2A protocols, as well + as computer use for GUI automation. It can also run as a Telegram bot for + remote-controlling the agent from chat. + ''; + homepage = "https://github.com/inference-gateway/cli"; + changelog = "https://github.com/inference-gateway/cli/blob/v${version}/CHANGELOG.md"; + license = lib.licenses.mit; + maintainers = [ + { + name = "Eden Reich"; + email = "eden.reich@gmail.com"; + github = "edenreich"; + githubId = 26537388; + } + ]; + mainProgram = "infer"; + platforms = lib.platforms.unix; + }; + }); + in + { + packages = { + default = infer; + inherit infer; + }; + + apps.default = { + type = "app"; + program = "${infer}/bin/infer"; + meta = { + description = "Run the infer CLI"; + mainProgram = "infer"; + }; + }; + + devShells.default = pkgs.mkShell { + packages = [ + pkgs.go + pkgs.go-task + pkgs.golangci-lint + pkgs.gopls + ]; + }; + } + ); +} diff --git a/nix/README.md b/nix/README.md deleted file mode 100644 index f24f007e..00000000 --- a/nix/README.md +++ /dev/null @@ -1,206 +0,0 @@ -# Nix Packaging for Inference Gateway CLI - -This directory contains the Nix package expression for building the Inference Gateway CLI with Nix. - -## Quick Start - -### Building Locally - -```bash -# Build the package -nix-build nix/package.nix - -# Test the binary -./result/bin/infer version -./result/bin/infer --help - -# Install to user profile -nix-env -if nix/package.nix -``` - -### Testing Before Release - -Before each release, ensure the Nix package builds correctly: - -```bash -# Clean build -nix-build nix/package.nix --show-trace - -# Verify the binary works -./result/bin/infer version -./result/bin/infer chat --help - -# Check shell completions were generated -ls -la ./result/share/bash-completion/completions/ -ls -la ./result/share/fish/vendor_completions.d/ -ls -la ./result/share/zsh/site-functions/ -``` - -## Updating Hashes - -The package expression contains two hashes that must be updated for each release: - -### 1. Source Hash - -This is the hash of the GitHub source tarball: - -```bash -# Calculate for a specific version -VERSION="0.103.0" -nix-prefetch-url --unpack "https://github.com/inference-gateway/cli/archive/refs/tags/v${VERSION}.tar.gz" - -# Update in package.nix: -# hash = "sha256-CALCULATED_HASH"; -``` - -### 2. Vendor Hash - -This is the hash of the Go module dependencies: - -```bash -# Set vendorHash to empty string in package.nix -sed -i 's|vendorHash = "sha256-.*";|vendorHash = "";|' package.nix - -# Attempt to build - it will fail with the correct hash -nix-build nix/package.nix 2>&1 | tee build.log - -# Extract the hash from the error -grep "got:" build.log | grep -oP "sha256-[A-Za-z0-9+/=]+" - -# Update in package.nix: -# vendorHash = "sha256-CALCULATED_HASH"; -``` - -## Automated Workflow - -The `.github/workflows/nix-version-sync.yml` workflow automatically: - -1. Triggers on new releases -2. Calculates both hashes -3. Updates `nix/package.nix` -4. Creates a PR with the changes -5. Verifies the build succeeds - -You can also trigger it manually: - -```bash -# Via GitHub UI: Actions > Nix Version Sync > Run workflow -# Or via gh CLI: -gh workflow run nix-version-sync.yml -f version=0.103.0 -``` - -## CI Integration - -The `.github/workflows/nix-build.yml` workflow runs on every PR and push to verify: - -- Nix package builds on Linux (amd64, arm64) -- Nix package builds on macOS (amd64, arm64) -- Binary runs and `infer version` works -- Nix expression is properly formatted - -## Platform Support - -The package supports: - -- **Linux**: x86_64-linux, aarch64-linux -- **macOS**: x86_64-darwin, aarch64-darwin (requires CGO for clipboard) - -### macOS Notes - -macOS builds require CGO enabled for clipboard support (`golang.design/x/clipboard`): - -```nix -CGO_ENABLED = if stdenv.isDarwin then 1 else 0; - -buildInputs = lib.optionals stdenv.isDarwin [ - darwin.apple_sdk.frameworks.Cocoa - darwin.apple_sdk.frameworks.UserNotifications -]; -``` - -## Submitting to nixpkgs - -Once the package builds successfully: - -1. Follow the [nixpkgs submission guide](../docs/nixpkgs-submission.md) -2. Ensure all hashes are correct (no placeholders) -3. Test on at least NixOS Linux and macOS -4. Submit PR to [NixOS/nixpkgs](https://github.com/NixOS/nixpkgs) - -## Troubleshooting - -### Build Fails with Hash Mismatch - -```bash -# Recalculate the hash -nix-prefetch-url --unpack "https://github.com/inference-gateway/cli/archive/refs/tags/vVERSION.tar.gz" -``` - -### Vendor Hash Mismatch - -```bash -# Set to empty string and rebuild to get correct hash -sed -i 's|vendorHash = ".*";|vendorHash = "";|' nix/package.nix -nix-build nix/package.nix 2>&1 | grep "got:" -``` - -### CGO Errors on macOS - -Ensure: - -- `CGO_ENABLED = 1` for Darwin -- `darwin.apple_sdk.frameworks.Cocoa` in buildInputs -- Xcode Command Line Tools are installed - -### Tests Fail in Sandbox - -Some tests may require network or fail in Nix sandbox. Use `checkFlags`: - -```nix -checkFlags = [ - "-skip=TestIntegration|TestNetwork" -]; -``` - -## Development - -### Local Testing with Different Go Versions - -```bash -# Override Go version -nix-build nix/package.nix --arg go go_1_23 - -# With specific nixpkgs version -nix-build nix/package.nix -I nixpkgs=https://github.com/NixOS/nixpkgs/archive/nixos-24.11.tar.gz -``` - -### Formatting - -Format Nix files with nixpkgs-fmt: - -```bash -nix-shell -p nixpkgs-fmt --run "nixpkgs-fmt nix/" -``` - -### Checking Evaluation - -Ensure the expression evaluates without errors: - -```bash -nix-instantiate --eval --strict nix/package.nix --show-trace -``` - -## Resources - -- [Nix Pills](https://nixos.org/guides/nix-pills/) -- [nixpkgs Manual - Go](https://nixos.org/manual/nixpkgs/stable/#sec-language-go) -- [nixpkgs Contributing](https://github.com/NixOS/nixpkgs/blob/master/CONTRIBUTING.md) -- [Cachix](https://www.cachix.org/) - Binary cache for faster builds - -## Contact - -For issues with the Nix package: - -- Open an issue in this repository -- Tag with `nix` label -- Include build logs and system info diff --git a/nix/default.nix b/nix/default.nix deleted file mode 100644 index 56a2b170..00000000 --- a/nix/default.nix +++ /dev/null @@ -1,6 +0,0 @@ -# Default entry point for nix-build -{ - pkgs ? import { }, -}: - -pkgs.callPackage ./package.nix { } diff --git a/nix/nixpkgs-submission/README.md b/nix/nixpkgs-submission/README.md deleted file mode 100644 index a7483ecd..00000000 --- a/nix/nixpkgs-submission/README.md +++ /dev/null @@ -1,46 +0,0 @@ -# nixpkgs Submission - -Quick guide for submitting `infer` to nixpkgs. - -## Steps - -```bash -# 1. Fork https://github.com/NixOS/nixpkgs -git clone https://github.com/YOUR_USERNAME/nixpkgs.git -cd nixpkgs -git checkout -b infer-init - -# 2. Add maintainer info to maintainers/maintainer-list.nix -edenreich = { - email = "eden.reich@gmail.com"; - github = "edenreich"; - githubId = 16985712; - name = "Eden Reich"; -}; - -# 3. Copy package definition -mkdir -p pkgs/by-name/in/infer -cp path/to/cli/nix/package.nix pkgs/by-name/in/infer/package.nix - -# 4. Test build -nix-build -A infer - -# 5. Commit and create PR -git add pkgs/by-name/in/infer/package.nix maintainers/maintainer-list.nix -git commit -m "infer: init at 0.103.0" -git push origin infer-init -``` - -## Package Info - -- **Package**: `../package.nix` (use this file for submission) -- **Name**: `infer` -- **Command**: `infer` -- **Version**: 0.103.0 -- **Status**: ✅ Builds on all platforms - -## Install After Merge - -```bash -nix profile install nixpkgs#infer -``` diff --git a/nix/package.nix b/nix/package.nix deleted file mode 100644 index 918a9233..00000000 --- a/nix/package.nix +++ /dev/null @@ -1,99 +0,0 @@ -{ - lib, - buildGoModule, - fetchFromGitHub, - installShellFiles, - stdenv, - swift, - apple-sdk, -}: - -buildGoModule (finalAttrs: { - __structuredAttrs = true; - - pname = "infer"; - version = "0.109.3"; - - src = fetchFromGitHub { - owner = "inference-gateway"; - repo = "cli"; - tag = "v${finalAttrs.version}"; - hash = "sha256-MP2cEu0rNlLWUQy09WigK8wD9U2PORNKXbs6m7pNPco="; - }; - - vendorHash = "sha256-ge+R4F7BoriAKIGmwvF7cS5hJFLJ3HO/HkIOPhEdXbA="; - - # Use the Go module proxy layout instead of `go mod vendor`. The robotgo - # dependency includes CGO `#include` directives that reference C headers - # in subpackages (e.g. screen/goScreen.h) that `go mod vendor` strips - # because no Go code imports those subpackages directly. proxyVendor - # preserves the full module layout, including the headers CGO needs. - proxyVendor = true; - - # macOS requires CGO for clipboard support (golang.design/x/clipboard). - env.CGO_ENABLED = if stdenv.hostPlatform.isDarwin then "1" else "0"; - - ldflags = [ - "-s" - "-w" - "-X=github.com/inference-gateway/cli/cmd.version=${finalAttrs.version}" - "-X=github.com/inference-gateway/cli/cmd.commit=v${finalAttrs.version}" - ]; - - # Disable tests that require network or external dependencies - preCheck = '' - export HOME=$TMPDIR - ''; - - # Some tests may fail in the Nix sandbox due to networking requirements - checkFlags = [ - "-skip=TestIntegration" - ]; - - nativeBuildInputs = [ installShellFiles ] ++ lib.optionals stdenv.hostPlatform.isDarwin [ swift ]; - - buildInputs = lib.optionals stdenv.hostPlatform.isDarwin [ apple-sdk ]; - - # On macOS, the Go binary embeds a SwiftUI floating-window helper app via - # //go:embed. The build/ folder is gitignored, so we compile the Swift - # sources before `go build` runs. The same build.sh is used by the - # standard release workflow, keeping a single source of truth for the - # Swift app build. build.sh reads SDKROOT and skips codesign when it is - # not available in the sandbox. - preBuild = lib.optionalString stdenv.hostPlatform.isDarwin '' - export SDKROOT="${apple-sdk}/Platforms/MacOSX.platform/Developer/SDKs/MacOSX.sdk" - pushd internal/display/macos/ComputerUse > /dev/null - bash ./build.sh - popd > /dev/null - ''; - - postInstall = '' - # Rename binary from 'cli' to 'infer' if needed - if [ -f $out/bin/cli ]; then - mv $out/bin/cli $out/bin/infer - fi - - # Generate shell completions - installShellCompletion --cmd infer \ - --bash <($out/bin/infer completion bash) \ - --fish <($out/bin/infer completion fish) \ - --zsh <($out/bin/infer completion zsh) - ''; - - meta = { - description = "Command-line interface for the Inference Gateway - AI model interaction manager"; - longDescription = '' - The Inference Gateway CLI is a command-line tool for managing AI model interactions. - It provides interactive chat, autonomous agent execution, and extensive tool - integration for LLMs, with support for both the MCP and A2A protocols, as well - as computer use for GUI automation. It can also run as a Telegram bot for - remote-controlling the agent from chat. - ''; - homepage = "https://github.com/inference-gateway/cli"; - changelog = "https://github.com/inference-gateway/cli/blob/v${finalAttrs.version}/CHANGELOG.md"; - license = lib.licenses.mit; - maintainers = with lib.maintainers; [ edenreich ]; - mainProgram = "infer"; - platforms = lib.platforms.unix; - }; -}) diff --git a/nix/update-hashes.sh b/nix/update-hashes.sh deleted file mode 100755 index 3476ca33..00000000 --- a/nix/update-hashes.sh +++ /dev/null @@ -1,150 +0,0 @@ -#!/usr/bin/env bash -# -# Script to calculate and update Nix package hashes -# Usage: ./nix/update-hashes.sh [VERSION] -# Example: ./nix/update-hashes.sh 0.103.0 -# - -set -euo pipefail - -# Colors for output -RED='\033[0;31m' -GREEN='\033[0;32m' -YELLOW='\033[1;33m' -NC='\033[0m' # No Color - -# Get version from argument or extract from current package.nix -if [ $# -eq 1 ]; then - VERSION="$1" -else - # Extract current version from package.nix - VERSION=$(grep 'version = "' nix/package.nix | head -1 | sed 's/.*version = "\(.*\)";/\1/') - echo -e "${YELLOW}No version specified, using current version from package.nix: ${VERSION}${NC}" -fi - -# Validate version format -if ! [[ "$VERSION" =~ ^[0-9]+\.[0-9]+\.[0-9]+$ ]]; then - echo -e "${RED}Error: Invalid version format. Expected X.Y.Z, got: ${VERSION}${NC}" - exit 1 -fi - -echo -e "${GREEN}Calculating hashes for version ${VERSION}...${NC}\n" - -# Check if nix-prefetch-url is available -if ! command -v nix-prefetch-url &> /dev/null; then - echo -e "${RED}Error: nix-prefetch-url not found. Please install Nix.${NC}" - exit 1 -fi - -# 1. Calculate source hash -echo -e "${YELLOW}[1/4] Calculating source hash...${NC}" -TARBALL_URL="https://github.com/inference-gateway/cli/archive/refs/tags/v${VERSION}.tar.gz" -echo "Fetching: ${TARBALL_URL}" - -NIX32_HASH=$(nix-prefetch-url --unpack "$TARBALL_URL" 2>&1 | tail -1) - -if [ -z "$NIX32_HASH" ]; then - echo -e "${RED}Error: Failed to calculate source hash${NC}" - exit 1 -fi - -# Convert nix-base32 to SRI (base64) — fetchFromGitHub.hash expects SRI format. -SOURCE_HASH=$(nix-hash --to-sri --type sha256 "$NIX32_HASH" | sed 's/^sha256-//') - -echo -e "${GREEN}Source hash: sha256-${SOURCE_HASH}${NC}\n" - -# 2. Update version and source hash in package.nix -echo -e "${YELLOW}[2/4] Updating version and source hash in package.nix...${NC}" - -# Create backup -cp nix/package.nix nix/package.nix.bak - -# Update version -sed -i.tmp "s/version = \"[0-9.]*\";/version = \"${VERSION}\";/" nix/package.nix - -# Update source hash -sed -i.tmp "s|hash = \"sha256-[A-Za-z0-9+/=]*\";|hash = \"sha256-${SOURCE_HASH}\";|" nix/package.nix - -# Remove temp files -rm -f nix/package.nix.tmp - -echo -e "${GREEN}Updated version and source hash${NC}\n" - -# 3. Calculate vendor hash -echo -e "${YELLOW}[3/4] Calculating vendor hash (this may take a minute)...${NC}" - -# Set vendorHash to empty to trigger the error with correct hash -sed -i.tmp 's|vendorHash = "sha256-[A-Za-z0-9+/=]*";|vendorHash = "";|' nix/package.nix -rm -f nix/package.nix.tmp - -# Try to build and capture the vendor hash from error -echo "Building to determine vendor hash..." -BUILD_OUTPUT=$(nix-build nix/default.nix 2>&1 || true) - -# Extract vendor hash from the error message -VENDOR_HASH=$(echo "$BUILD_OUTPUT" | grep -oP "got:\s+sha256-\K[A-Za-z0-9+/=]+" | head -1) - -if [ -z "$VENDOR_HASH" ]; then - echo -e "${RED}Error: Failed to calculate vendor hash${NC}" - echo "Build output:" - echo "$BUILD_OUTPUT" - - # Restore backup - mv nix/package.nix.bak nix/package.nix - exit 1 -fi - -echo -e "${GREEN}Vendor hash: sha256-${VENDOR_HASH}${NC}\n" - -# 4. Update vendor hash in package.nix -echo -e "${YELLOW}[4/4] Updating vendor hash in package.nix...${NC}" - -sed -i.tmp "s|vendorHash = \"[^\"]*\";|vendorHash = \"sha256-${VENDOR_HASH}\";|" nix/package.nix -rm -f nix/package.nix.tmp - -# Remove backup if everything succeeded -rm -f nix/package.nix.bak - -echo -e "${GREEN}✓ Successfully updated all hashes!${NC}\n" - -# Summary -echo "==========================================" -echo "Summary:" -echo "==========================================" -echo "Version: ${VERSION}" -echo "Source Hash: sha256-${SOURCE_HASH}" -echo "Vendor Hash: sha256-${VENDOR_HASH}" -echo "==========================================" -echo "" - -# Verify the build -echo -e "${YELLOW}Verifying build...${NC}" -if nix-build nix/default.nix --show-trace; then - echo -e "${GREEN}✓ Build successful!${NC}\n" - - # Test the binary - echo -e "${YELLOW}Testing binary...${NC}" - if ./result/bin/infer version; then - echo -e "\n${GREEN}✓ Binary works correctly!${NC}\n" - - # Cleanup - echo -e "${YELLOW}Cleaning up build artifacts...${NC}" - rm -f result - - echo -e "${GREEN}==========================================" - echo "All done! ✓" - echo "==========================================${NC}" - echo "" - echo "Next steps:" - echo " 1. Review changes: git diff nix/package.nix" - echo " 2. Commit changes: git add nix/package.nix && git commit -m 'chore(nix): update to v${VERSION}'" - echo " 3. Push and verify CI: git push" - echo "" - else - echo -e "${RED}✗ Binary test failed${NC}" - exit 1 - fi -else - echo -e "${RED}✗ Build failed${NC}" - exit 1 -fi From 92b715da082d606210526295f44c8f1182a5a81c Mon Sep 17 00:00:00 2001 From: Eden Reich Date: Wed, 13 May 2026 19:58:37 +0200 Subject: [PATCH 2/4] ci(nix): auto-fix vendorHash on PRs and bump version in release commit MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Adds .github/workflows/nix-fix-hashes.yml: on every PR touching go.mod/go.sum/flake.nix, runs `nix flake check -L`; on hash mismatch, runs `determinate-nixd fix hashes --auto-apply` and commits the fix back to the PR branch with a `[dependabot skip]` prefix so Dependabot won't clobber it on rebase. Pushes via the BOT GitHub App token (not GITHUB_TOKEN, whose pushes don't retrigger downstream workflows and would leave the verification gate stale). Extends nix-build.yml path filters to include go.mod/go.sum so the verification gate runs on the auto-fixed commits. Moves version bumping into the release commit via @semantic-release/exec + a sed prepareCmd that updates `version =` in flake.nix before @semantic-release/git commits it alongside CHANGELOG.md. The sed uses bracket-negation to handle prerelease versions from rc/* branches. Release pipeline gains one npm package install (~3s) but no Nix install — pure sed. Adds goSum = ./go.sum; to buildGoModule attrs to derive the module list from go.sum rather than running `go mod download` blind, per Determinate Systems guidance for improved reliability across nixpkgs upgrades. Removes nix-version-sync.yml: its responsibilities are now distributed across nix-fix-hashes.yml (vendorHash on PRs) and the release prepareCmd (version in tagged commits). Pattern source: https://docs.determinate.systems/guides/automatically-fix-hashes-in-github-actions/ NOTE: nix-build.yml should be set as a required status check on main in repo settings for this model to hold — otherwise PRs with stale vendorHash could merge and break the next release commit. Co-Authored-By: Claude Opus 4.7 (1M context) --- .github/workflows/nix-build.yml | 4 + .github/workflows/nix-fix-hashes.yml | 77 ++++++++++++++ .github/workflows/nix-version-sync.yml | 133 ------------------------- .github/workflows/release.yml | 1 + .releaserc.yaml | 5 + flake.nix | 2 + 6 files changed, 89 insertions(+), 133 deletions(-) create mode 100644 .github/workflows/nix-fix-hashes.yml delete mode 100644 .github/workflows/nix-version-sync.yml diff --git a/.github/workflows/nix-build.yml b/.github/workflows/nix-build.yml index 0837cd0f..ebd60305 100644 --- a/.github/workflows/nix-build.yml +++ b/.github/workflows/nix-build.yml @@ -11,6 +11,8 @@ on: paths: - 'flake.nix' - 'flake.lock' + - 'go.mod' + - 'go.sum' - '.github/workflows/nix-build.yml' push: branches: @@ -18,6 +20,8 @@ on: paths: - 'flake.nix' - 'flake.lock' + - 'go.mod' + - 'go.sum' - '.github/workflows/nix-build.yml' workflow_dispatch: diff --git a/.github/workflows/nix-fix-hashes.yml b/.github/workflows/nix-fix-hashes.yml new file mode 100644 index 00000000..3f6d5eb6 --- /dev/null +++ b/.github/workflows/nix-fix-hashes.yml @@ -0,0 +1,77 @@ +name: Nix Auto-fix Hashes + +concurrency: + group: nix-fix-${{ github.ref }} + cancel-in-progress: true + +on: + pull_request: + types: + - opened + - synchronize + - reopened + paths: + - 'flake.nix' + - 'flake.lock' + - 'go.mod' + - 'go.sum' + - '.github/workflows/nix-fix-hashes.yml' + +permissions: + contents: write + pull-requests: write + id-token: read + +jobs: + fix-hashes: + name: Auto-fix Nix hashes + runs-on: ubuntu-24.04 + steps: + - name: Create GitHub App Token + uses: actions/create-github-app-token@v3.2.0 + id: app_token + with: + client-id: ${{ secrets.BOT_GH_APP_ID }} + private-key: ${{ secrets.BOT_GH_APP_PRIVATE_KEY }} + owner: ${{ github.repository_owner }} + repositories: | + ${{ github.event.repository.name }} + + - name: Get GitHub App User ID + id: get_user_id + run: echo "user_id=$(gh api "/users/${{ steps.app_token.outputs.app-slug }}[bot]" --jq .id)" >> "$GITHUB_OUTPUT" + env: + GH_TOKEN: ${{ steps.app_token.outputs.token }} + + - name: Checkout PR branch + uses: actions/checkout@v6.0.2 + with: + token: ${{ steps.app_token.outputs.token }} + ref: ${{ github.event.pull_request.head.ref }} + repository: ${{ github.event.pull_request.head.repo.full_name }} + fetch-depth: 0 + + - name: Install Determinate Nix + uses: DeterminateSystems/determinate-nix-action@v3 + + - name: Detect hash mismatches + id: check + run: nix flake check -L + continue-on-error: true + + - name: Auto-fix hashes and push + if: steps.check.outcome == 'failure' + env: + GH_TOKEN: ${{ steps.app_token.outputs.token }} + run: | + determinate-nixd fix hashes --auto-apply flake.nix + if git diff --quiet; then + echo "No hash fixes needed (build failed for a different reason)" + exit 1 + fi + + git config user.name "${{ steps.app_token.outputs.app-slug }}[bot]" + git config user.email "${{ steps.get_user_id.outputs.user_id }}+${{ steps.app_token.outputs.app-slug }}[bot]@users.noreply.github.com" + git add flake.nix + git commit -m "chore(nix): auto-fix vendorHash [dependabot skip]" + git push origin HEAD:${{ github.event.pull_request.head.ref }} diff --git a/.github/workflows/nix-version-sync.yml b/.github/workflows/nix-version-sync.yml deleted file mode 100644 index 0f0d45f7..00000000 --- a/.github/workflows/nix-version-sync.yml +++ /dev/null @@ -1,133 +0,0 @@ -name: Nix Version Sync - -on: - release: - types: - - published - workflow_dispatch: - inputs: - version: - description: 'Version to sync (e.g., 0.103.0)' - required: true - type: string - -permissions: - contents: write - pull-requests: write - -jobs: - update-nix-version: - name: Update Nix flake version - runs-on: ubuntu-24.04 - - steps: - - name: Checkout repository - uses: actions/checkout@v6.0.2 - with: - ref: main - fetch-depth: 0 - - - name: Install Nix - uses: cachix/install-nix-action@v31 - with: - nix_path: nixpkgs=channel:nixos-unstable - extra_nix_config: | - experimental-features = nix-command flakes - - - name: Set up Magic Nix Cache - uses: DeterminateSystems/magic-nix-cache-action@v13 - - - name: Determine version - id: version - run: | - if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then - VERSION="${{ inputs.version }}" - else - VERSION="${{ github.event.release.tag_name }}" - VERSION="${VERSION#v}" - fi - echo "version=$VERSION" >> $GITHUB_OUTPUT - echo "Version to sync: $VERSION" - - - name: Update version in flake.nix - run: | - VERSION="${{ steps.version.outputs.version }}" - sed -i "s/version = \"[0-9.]*\";/version = \"$VERSION\";/" flake.nix - echo "Updated flake.nix with version $VERSION" - grep -n 'version = "' flake.nix | head -1 - - - name: Calculate vendor hash - id: vendor-hash - run: | - echo "Attempting build to calculate vendorHash..." - # Use a fake hash to force Nix to report the real one in the error. - sed -i 's|vendorHash = "sha256-[A-Za-z0-9+/=]*";|vendorHash = lib.fakeHash;|' flake.nix - BUILD_OUTPUT=$(nix build .#infer --show-trace 2>&1 || true) - # `got: sha256-=` is already SRI-formatted in the build error, - # so we just capture it verbatim. - VENDOR_HASH=$(echo "$BUILD_OUTPUT" | grep -oP "got:\s+sha256-\K[A-Za-z0-9+/=]+" | head -1) - - if [ -z "$VENDOR_HASH" ]; then - echo "::error::Failed to calculate vendorHash" - echo "$BUILD_OUTPUT" - exit 1 - fi - - echo "Vendor hash: sha256-$VENDOR_HASH" - echo "hash=$VENDOR_HASH" >> $GITHUB_OUTPUT - - - name: Update vendor hash in flake.nix - run: | - VENDOR_HASH="${{ steps.vendor-hash.outputs.hash }}" - sed -i "s|vendorHash = lib.fakeHash;|vendorHash = \"sha256-$VENDOR_HASH\";|" flake.nix - echo "Updated vendorHash in flake.nix" - - - name: Format Nix file - run: | - nix-shell -p nixfmt-rfc-style --run "nixfmt flake.nix" - - - name: Create Pull Request - uses: peter-evans/create-pull-request@v8.1.1 - with: - token: ${{ secrets.GITHUB_TOKEN }} - commit-message: 'chore(nix): Update flake to v${{ steps.version.outputs.version }}' - title: 'chore(nix): Update flake to v${{ steps.version.outputs.version }}' - body: | - ## Automated Nix Flake Update - - This PR updates the Nix flake to version **${{ steps.version.outputs.version }}**. - - ### Changes - - Updated `version` to `${{ steps.version.outputs.version }}` - - Updated `vendorHash` to `sha256-${{ steps.vendor-hash.outputs.hash }}` - - Formatted with nixfmt-rfc-style - - The `Nix Build Verification` workflow runs on this PR and is the - authoritative gate for verifying the updated hashes build cleanly. - - ### Verification - ```bash - nix build .#infer - result/bin/infer version - ``` - - ### Related - - Release: ${{ github.event.release.html_url || 'Manual trigger' }} - - --- - Auto-generated by `.github/workflows/nix-version-sync.yml` - branch: chore/nix-update-v${{ steps.version.outputs.version }} - delete-branch: true - labels: | - nix - dependencies - automated - - - name: Summary - run: | - echo "## Nix Flake Updated" >> $GITHUB_STEP_SUMMARY - echo "" >> $GITHUB_STEP_SUMMARY - echo "- **Version**: ${{ steps.version.outputs.version }}" >> $GITHUB_STEP_SUMMARY - echo "- **Vendor Hash**: sha256-${{ steps.vendor-hash.outputs.hash }}" >> $GITHUB_STEP_SUMMARY - echo "" >> $GITHUB_STEP_SUMMARY - echo "A pull request has been created to merge these changes." >> $GITHUB_STEP_SUMMARY diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index b48633fb..85a50a66 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -65,6 +65,7 @@ jobs: @semantic-release/commit-analyzer@13.0.1 \ @semantic-release/release-notes-generator@14.1.0 \ @semantic-release/changelog@6.0.3 \ + @semantic-release/exec@7.1.0 \ @semantic-release/git@10.0.1 \ @semantic-release/github@1.0.0 \ conventional-changelog-conventionalcommits@9.1.0 \ diff --git a/.releaserc.yaml b/.releaserc.yaml index d417e732..6ba3a2ae 100644 --- a/.releaserc.yaml +++ b/.releaserc.yaml @@ -87,9 +87,14 @@ plugins: The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). + - - "@semantic-release/exec" + - prepareCmd: | + sed -i.bak 's|version = "[^"]*";|version = "${nextRelease.version}";|' flake.nix && rm flake.nix.bak + - - "@semantic-release/git" - assets: - CHANGELOG.md + - flake.nix message: | chore(release): ${nextRelease.version} [skip ci] diff --git a/flake.nix b/flake.nix index 1a297add..ce97b25e 100644 --- a/flake.nix +++ b/flake.nix @@ -49,6 +49,8 @@ vendorHash = "sha256-+ntde+NYik4gEicMlyonBAE+gkHoYYiw3G0dbQ/gX2I="; + goSum = ./go.sum; + proxyVendor = true; env.CGO_ENABLED = if stdenv.hostPlatform.isDarwin then "1" else "0"; From 60d7d440c4ff3b4996509c296e9783b13fc201c2 Mon Sep 17 00:00:00 2001 From: Eden Reich Date: Wed, 13 May 2026 20:16:59 +0200 Subject: [PATCH 3/4] ci(nix): Move flake version+hash sync into release pipeline MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Replaces the per-PR auto-fix workflow with in-release synchronization. The release pipeline now installs Determinate Nix and the prepareCmd runs `determinate-nixd fix hashes --auto-apply flake.nix` alongside the version sed, so the release commit always has both correct `version =` and correct `vendorHash`. Tags become self-consistent, which is what's needed for cross-repo Flox manifests pinning to `github:inference-gateway/cli/v`. Reverts the nix-build.yml path filter additions for go.mod/go.sum. Without the auto-fix workflow, those filters would just produce noisy red CI on every Dependabot PR. nix-build now only runs when flake.nix itself changes. Removes nix-fix-hashes.yml. Dependabot PRs no longer auto-resolve vendorHash on the PR branch — `main` may have stale vendorHash between releases, but each release pipeline refreshes it. Trade-off: `nix build github:inference-gateway/cli` (default branch) may fail mid-cycle; pin to tags for reliability. Release pipeline cost: ~30-60s for Determinate Nix install + a few seconds for `fix hashes` (mostly cached after first release). --- .github/workflows/nix-build.yml | 5 +- .github/workflows/nix-fix-hashes.yml | 77 ---------------------------- .github/workflows/release.yml | 3 ++ .releaserc.yaml | 1 + 4 files changed, 5 insertions(+), 81 deletions(-) delete mode 100644 .github/workflows/nix-fix-hashes.yml diff --git a/.github/workflows/nix-build.yml b/.github/workflows/nix-build.yml index ebd60305..df8ed376 100644 --- a/.github/workflows/nix-build.yml +++ b/.github/workflows/nix-build.yml @@ -1,3 +1,4 @@ +--- name: Nix Build Verification concurrency: @@ -11,8 +12,6 @@ on: paths: - 'flake.nix' - 'flake.lock' - - 'go.mod' - - 'go.sum' - '.github/workflows/nix-build.yml' push: branches: @@ -20,8 +19,6 @@ on: paths: - 'flake.nix' - 'flake.lock' - - 'go.mod' - - 'go.sum' - '.github/workflows/nix-build.yml' workflow_dispatch: diff --git a/.github/workflows/nix-fix-hashes.yml b/.github/workflows/nix-fix-hashes.yml deleted file mode 100644 index 3f6d5eb6..00000000 --- a/.github/workflows/nix-fix-hashes.yml +++ /dev/null @@ -1,77 +0,0 @@ -name: Nix Auto-fix Hashes - -concurrency: - group: nix-fix-${{ github.ref }} - cancel-in-progress: true - -on: - pull_request: - types: - - opened - - synchronize - - reopened - paths: - - 'flake.nix' - - 'flake.lock' - - 'go.mod' - - 'go.sum' - - '.github/workflows/nix-fix-hashes.yml' - -permissions: - contents: write - pull-requests: write - id-token: read - -jobs: - fix-hashes: - name: Auto-fix Nix hashes - runs-on: ubuntu-24.04 - steps: - - name: Create GitHub App Token - uses: actions/create-github-app-token@v3.2.0 - id: app_token - with: - client-id: ${{ secrets.BOT_GH_APP_ID }} - private-key: ${{ secrets.BOT_GH_APP_PRIVATE_KEY }} - owner: ${{ github.repository_owner }} - repositories: | - ${{ github.event.repository.name }} - - - name: Get GitHub App User ID - id: get_user_id - run: echo "user_id=$(gh api "/users/${{ steps.app_token.outputs.app-slug }}[bot]" --jq .id)" >> "$GITHUB_OUTPUT" - env: - GH_TOKEN: ${{ steps.app_token.outputs.token }} - - - name: Checkout PR branch - uses: actions/checkout@v6.0.2 - with: - token: ${{ steps.app_token.outputs.token }} - ref: ${{ github.event.pull_request.head.ref }} - repository: ${{ github.event.pull_request.head.repo.full_name }} - fetch-depth: 0 - - - name: Install Determinate Nix - uses: DeterminateSystems/determinate-nix-action@v3 - - - name: Detect hash mismatches - id: check - run: nix flake check -L - continue-on-error: true - - - name: Auto-fix hashes and push - if: steps.check.outcome == 'failure' - env: - GH_TOKEN: ${{ steps.app_token.outputs.token }} - run: | - determinate-nixd fix hashes --auto-apply flake.nix - if git diff --quiet; then - echo "No hash fixes needed (build failed for a different reason)" - exit 1 - fi - - git config user.name "${{ steps.app_token.outputs.app-slug }}[bot]" - git config user.email "${{ steps.get_user_id.outputs.user_id }}+${{ steps.app_token.outputs.app-slug }}[bot]@users.noreply.github.com" - git add flake.nix - git commit -m "chore(nix): auto-fix vendorHash [dependabot skip]" - git push origin HEAD:${{ github.event.pull_request.head.ref }} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 85a50a66..1d6c3026 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -71,6 +71,9 @@ jobs: conventional-changelog-conventionalcommits@9.1.0 \ conventional-changelog-cli@5.0.0 + - name: Install Determinate Nix + uses: DeterminateSystems/determinate-nix-action@v3 + - name: Check for existing releases id: check_releases env: diff --git a/.releaserc.yaml b/.releaserc.yaml index 6ba3a2ae..4e7baf24 100644 --- a/.releaserc.yaml +++ b/.releaserc.yaml @@ -90,6 +90,7 @@ plugins: - - "@semantic-release/exec" - prepareCmd: | sed -i.bak 's|version = "[^"]*";|version = "${nextRelease.version}";|' flake.nix && rm flake.nix.bak + determinate-nixd fix hashes --auto-apply flake.nix - - "@semantic-release/git" - assets: From c1c2c9c6ad616a1051b50a35bd013e3e7c0de0c4 Mon Sep 17 00:00:00 2001 From: Eden Reich Date: Wed, 13 May 2026 20:27:17 +0200 Subject: [PATCH 4/4] docs(release): Add Nix flake install instructions to release notes Adds a Nix Flake section to the release body template alongside the existing curl, binary download, and container image options. Shows both `nix run` for one-shot execution and the Flox manifest entry for cross-repo consumption, both pinned to the released tag. --- .releaserc.yaml | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/.releaserc.yaml b/.releaserc.yaml index 4e7baf24..a833adc6 100644 --- a/.releaserc.yaml +++ b/.releaserc.yaml @@ -130,6 +130,21 @@ plugins: curl -fsSL https://raw.githubusercontent.com/inference-gateway/cli/main/install.sh | bash -s -- --install-dir $HOME/.local/bin ``` + ### Nix Flake + + Run directly without installing: + + ```bash + nix run github:inference-gateway/cli/<%= nextRelease.gitTag %> + ``` + + Or pin it in a [Flox](https://flox.dev) manifest (`.flox/env/manifest.toml`): + + ```toml + [install] + infer.flake = "github:inference-gateway/cli/<%= nextRelease.gitTag %>" + ``` + ### Binary Download Download the appropriate binary for your platform from the assets below.