fix(ci): make --all-systems opt-in via workflow input#300
Merged
Conversation
`nix flake check --all-systems` attempts to BUILD outputs for every declared
system, not just evaluate. For repos whose checks are pkgs.runCommand
derivations (nix-darwin: module-eval; nix-ai: wrap-claude-command, gemini-
policy, fabric-patterns-marketplace, maestro-cli, pal-mcp-server, plus the
check-* derivations) building cross-platform on the linux runner fails with:
error: Cannot build '<hash>-X.drv'.
Reason: platform mismatch
Required system: 'aarch64-darwin'
Current system: 'x86_64-linux'
Disk cleanup (introduced in #299) doesn't address this — platform mismatch
is a build-time issue, not a space issue. --no-build (introduced in #298)
broke substitution context for input flakes, producing "path is not valid"
errors elsewhere.
Solution: add an `all_systems` boolean input (default true) so consumers
opt-out per-repo. nix-home keeps the default (its module-eval was made
platform-aware so it works with --all-systems). nix-darwin and nix-ai
should set `all_systems: false` in their ci-gate workflow caller.
The free-disk-space step is now gated on `all_systems && ubuntu-*` since
disk pressure only happens when substituting cross-platform closures.
Assisted-by: Claude <noreply@anthropic.com>
|
Note Gemini is unable to generate a summary for this pull request due to the file types involved not being currently supported. |
Contributor
There was a problem hiding this comment.
Pull request overview
Updates the reusable Nix validation workflow to let callers control whether nix flake check runs with cross-system checks (--all-systems), and avoids unnecessary disk cleanup when that mode is disabled. This supports consumers that can’t build/evaluate cross-platform check derivations from a Linux runner due to platform-mismatch failures.
Changes:
- Add a boolean
all_systemsworkflow input (defaulting totrue). - Conditionally include
--all-systemsin thenix flake checkinvocation. - Gate the “Free disk space” step on
all_systemsand Ubuntu runners.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
This was referenced May 11, 2026
JacobPEvans
added a commit
to JacobPEvans/nix-darwin
that referenced
this pull request
May 11, 2026
nix-darwin's module-eval and other darwin-specific checks are pkgs.runCommand derivations that require darwin binaries to build. `nix flake check --all-systems` (added in JacobPEvans/.github#294) tried to build them on the linux runner and failed with: error: Cannot build '<hash>-check-module-eval.drv'. Reason: platform mismatch Required system: 'aarch64-darwin' Current system: 'x86_64-linux' The .github reusable workflow now exposes `all_systems` as an input (JacobPEvans/.github#300, default true). Set it to false here so this repo's CI evaluates the current system only — restores the pre-#294 working behavior. Assisted-by: Claude <noreply@anthropic.com>
JacobPEvans
added a commit
to JacobPEvans/nix-ai
that referenced
this pull request
May 11, 2026
nix-ai's check suite (wrap-claude-command-*, gemini-policy.toml, fabric-patterns-marketplace, maestro-cli, pal-mcp-server, check-* derivations) are pkgs.runCommand builds that need darwin binaries. `nix flake check --all-systems` (added in JacobPEvans/.github#294) tried to build them on the linux runner and failed with: error: Cannot build '<hash>-wrap-claude-command-X.drv'. Reason: platform mismatch Required system: 'aarch64-darwin' Current system: 'x86_64-linux' The .github reusable workflow now exposes `all_systems` as an input (JacobPEvans/.github#300, default true). Set it to false here so this repo's CI evaluates the current system only — restores the pre-#294 working behavior. Assisted-by: Claude <noreply@anthropic.com>
This was referenced May 12, 2026
This was referenced May 14, 2026
JacobPEvans
added a commit
to JacobPEvans/nix-ai
that referenced
this pull request
May 14, 2026
…lt (#774) Companion to nix-home#241 and nix-darwin#1101. This repo had been opting out of `--all-systems` via `all_systems: false` in ci-gate.yml to dodge "platform mismatch" errors on the linux runner. The opt-out loses the cross-platform evaluation that --all-systems was added for. Apply the same root-cause fix: - Scope `checks` to x86_64-linux only. The checks in lib/checks.nix are source-only or evaluation-wrapped — running once on the CI system is sufficient. Other systems intentionally have no `checks` entries. - Remove `all_systems: false` so the `_nix-validate.yml` default (`true`) takes effect. Cross-system breakage is still caught: `packages.<system>`, `formatter.<system>`, and `overlays.default` remain `forAllSystems` and are evaluated by --all-systems for every declared system. Also drop `secrets: inherit` from the python-security job — the called workflow does not declare any secrets, so the inherit is dead code and zizmor (correctly) flags it as an unnecessary blast-radius expansion. Refs: JacobPEvans/.github#300, JacobPEvans/.github#313 (passthrough) Refs: JacobPEvans/nix-home#241, JacobPEvans/nix-darwin#1101 (same fix) Assisted-by: Claude <noreply@anthropic.com>
JacobPEvans
added a commit
to JacobPEvans/nix-darwin
that referenced
this pull request
May 14, 2026
…lt (#1101) Companion to nix-home/fix-flake-checks. This repo had been opting out of `--all-systems` via `all_systems: false` in ci-gate.yml and ci-validate.yml to dodge "platform mismatch" errors on the linux runner. That workaround loses the cross-platform evaluation that motivated --all-systems in the first place (catching darwin-only meta.broken packages in nixpkgs). Apply the same root-cause fix used in nix-home: - Scope `checks` to x86_64-linux only. All checks in lib/checks.nix are source-only (formatting, statix, deadnix, shellcheck, shell-tests) — running them once on the CI system is sufficient. - Drop `darwinConfigurations` from the check args. The darwin module-eval check was already gated on `system == aarch64-darwin` and never ran in CI under the prior `all_systems: false` workaround, so this is no regression. If on-runner darwin module-eval is desired, run it via a dedicated darwin-runner workflow or post-merge job. - Remove `all_systems: false` from ci-gate.yml and ci-validate.yml so the `_nix-validate.yml` default (`true`) takes effect. With these changes, `nix flake check --all-systems` succeeds on x86_64-linux runners and still evaluates `packages.aarch64-darwin.*`, `devShells.aarch64-darwin.default`, `formatter.aarch64-darwin`, and the `darwinConfigurations.*` graph cross-system — so darwin breakage in nixpkgs continues to be caught at PR time. Refs: JacobPEvans/.github#300, JacobPEvans/.github#313 (passthrough) Refs: JacobPEvans/nix-home#241 (same fix in nix-home) Assisted-by: Claude <noreply@anthropic.com>
JacobPEvans
added a commit
to JacobPEvans/nix-home
that referenced
this pull request
May 14, 2026
…ity (#241) `nix flake check --all-systems` evaluates every flake output across all declared systems from a single runner. For `checks.<system>.foo`, this means Nix tries to BUILD that derivation, which fails with "platform mismatch" when the derivation's system doesn't match the runner's system. PR #240 surfaced this with 12 platform-mismatch failures on checks.{aarch64-linux,x86_64-darwin,aarch64-darwin}.* — the linux runner can only build x86_64-linux derivations. Scope `checks` to `x86_64-linux` only. All current checks are either: - source-only (formatting, statix, deadnix, shellcheck) — they operate on the same source files regardless of target system, so running once on the CI system is sufficient and equivalent. - evaluation-wrapped (module-eval) — the home-manager activation is evaluated via unsafeDiscardStringContext; darwin variants already skip with a string fallback (arrow-cpp meta.broken in 25.11), so scoping to linux loses no signal. Cross-platform breakage is still caught by --all-systems via packages.<system>, devShells.<system>, formatter.<system>, and overlays, which remain forAllSystems below. The companion architectural fix lives in JacobPEvans/.github PR #313 — expose `all_systems` as a passthrough in `_ci-gate.yml` so consumer repos have a clean opt-out lever for any future edge case. This flake-level fix makes the opt-out unnecessary for nix-home: `--all-systems` succeeds with the default `true`. Refs: JacobPEvans/.github#300 Fixes: #240 nix-validate failure Assisted-by: Claude <noreply@anthropic.com>
JacobPEvans
added a commit
that referenced
this pull request
May 14, 2026
…313) PR #300 added the `all_systems` input to `_nix-validate.yml` (default true) so platform-specific consumer repos could opt out of `--all-systems`. But `_ci-gate.yml` — which most consumer repos actually call — silently ignored that input, leaving consumers no way to opt out without forking the gate. Add `all_systems: { type: boolean, default: true }` to `_ci-gate.yml` and forward it to the `nix-validate` reusable job. Default remains true to keep catching darwin-only `meta.broken` packages from the linux runner. The real root-cause fix lives in consumer flakes (use `runCommandLocal`, scope source-only checks to the CI system) — this passthrough is the defensive safety valve for any case where flake-level fixes are not yet possible. Assisted-by: Claude <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Why
`nix flake check --all-systems` attempts to BUILD outputs for every declared system, not just evaluate. Disk cleanup (#299) doesn't help — platform mismatch is a build-time issue. `--no-build` (#298) broke substitution context for input flakes.
Per-repo behavior under `--all-systems`:
Making the flag opt-in lets each consumer choose. nix-home keeps the default. nix-darwin and nix-ai pass `all_systems: false` in their ci-gate caller workflow until their checks are restructured (e.g. via `unsafeDiscardStringContext` or platform-conditional definitions).
Follow-up
nix-darwin and nix-ai each need a small follow-up PR setting `all_systems: false` on the `_nix-validate.yml` caller in their respective `.github/workflows/ci-gate.yml`. I'll open those after this merges.
Test plan
Assisted-by: Claude noreply@anthropic.com