feat(ci): pass all_systems through _ci-gate.yml to _nix-validate.yml#313
Merged
Merged
Conversation
PR #300 added the `all_systems` input to `_nix-validate.yml` (default true) so platform-specific consumer repos could opt out of `--all-systems`. But `_ci-gate.yml` — which most consumer repos actually call — silently ignored that input, leaving consumers no way to opt out without forking the gate. Add `all_systems: { type: boolean, default: true }` to `_ci-gate.yml` and forward it to the `nix-validate` reusable job. Default remains true to keep catching darwin-only `meta.broken` packages from the linux runner. The real root-cause fix lives in consumer flakes (use `runCommandLocal`, scope source-only checks to the CI system) — this passthrough is the defensive safety valve for any case where flake-level fixes are not yet possible. Assisted-by: Claude <noreply@anthropic.com>
|
Note Gemini is unable to generate a summary for this pull request due to the file types involved not being currently supported. |
Contributor
There was a problem hiding this comment.
Pull request overview
Adds a missing passthrough in the shared CI Gate reusable workflow so callers can control whether nix flake check runs with --all-systems via the existing _nix-validate.yml input.
Changes:
- Introduces an
all_systemsboolean input on_ci-gate.yml(defaulttrue). - Forwards
inputs.all_systemsinto thenix-validatereusable workflow call.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
This was referenced May 14, 2026
Merged
Merged
JacobPEvans
added a commit
to JacobPEvans/nix-ai
that referenced
this pull request
May 14, 2026
…lt (#774) Companion to nix-home#241 and nix-darwin#1101. This repo had been opting out of `--all-systems` via `all_systems: false` in ci-gate.yml to dodge "platform mismatch" errors on the linux runner. The opt-out loses the cross-platform evaluation that --all-systems was added for. Apply the same root-cause fix: - Scope `checks` to x86_64-linux only. The checks in lib/checks.nix are source-only or evaluation-wrapped — running once on the CI system is sufficient. Other systems intentionally have no `checks` entries. - Remove `all_systems: false` so the `_nix-validate.yml` default (`true`) takes effect. Cross-system breakage is still caught: `packages.<system>`, `formatter.<system>`, and `overlays.default` remain `forAllSystems` and are evaluated by --all-systems for every declared system. Also drop `secrets: inherit` from the python-security job — the called workflow does not declare any secrets, so the inherit is dead code and zizmor (correctly) flags it as an unnecessary blast-radius expansion. Refs: JacobPEvans/.github#300, JacobPEvans/.github#313 (passthrough) Refs: JacobPEvans/nix-home#241, JacobPEvans/nix-darwin#1101 (same fix) Assisted-by: Claude <noreply@anthropic.com>
JacobPEvans
added a commit
to JacobPEvans/nix-darwin
that referenced
this pull request
May 14, 2026
…lt (#1101) Companion to nix-home/fix-flake-checks. This repo had been opting out of `--all-systems` via `all_systems: false` in ci-gate.yml and ci-validate.yml to dodge "platform mismatch" errors on the linux runner. That workaround loses the cross-platform evaluation that motivated --all-systems in the first place (catching darwin-only meta.broken packages in nixpkgs). Apply the same root-cause fix used in nix-home: - Scope `checks` to x86_64-linux only. All checks in lib/checks.nix are source-only (formatting, statix, deadnix, shellcheck, shell-tests) — running them once on the CI system is sufficient. - Drop `darwinConfigurations` from the check args. The darwin module-eval check was already gated on `system == aarch64-darwin` and never ran in CI under the prior `all_systems: false` workaround, so this is no regression. If on-runner darwin module-eval is desired, run it via a dedicated darwin-runner workflow or post-merge job. - Remove `all_systems: false` from ci-gate.yml and ci-validate.yml so the `_nix-validate.yml` default (`true`) takes effect. With these changes, `nix flake check --all-systems` succeeds on x86_64-linux runners and still evaluates `packages.aarch64-darwin.*`, `devShells.aarch64-darwin.default`, `formatter.aarch64-darwin`, and the `darwinConfigurations.*` graph cross-system — so darwin breakage in nixpkgs continues to be caught at PR time. Refs: JacobPEvans/.github#300, JacobPEvans/.github#313 (passthrough) Refs: JacobPEvans/nix-home#241 (same fix in nix-home) Assisted-by: Claude <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
all_systemsinput to_nix-validate.yml(defaulttrue) so platform-specific consumer flakes could opt out of--all-systems. But_ci-gate.yml— which most consumer repos actually call — does not pass that input through, leaving consumers no clean opt-out lever.all_systemsinput to_ci-gate.ymland forward it to thenix-validatereusable job. Default remainstrueso we keep catching darwin-onlymeta.brokenpackages from the linux runner.Why this matters
Real evidence of the missing lever: nix-home PR #240 run 25863775332 fails with 12 platform-mismatch errors on
checks.aarch64-linux.*,checks.x86_64-darwin.*,checks.aarch64-darwin.*. Without this passthrough, nix-home cannot opt out from its_ci-gate.ymlcaller without forking the workflow.Important: this is a defensive safety valve, not the root-cause fix
The actual root cause is consumer flakes declaring
checks.<system>.foo = pkgs.<system>.runCommand ...for every declared system.runCommandrequires the platform's hardware to execute, so cross-platform check derivations fail with "platform mismatch" from the linux runner.The root-cause fix lives in each consumer flake:
formatting,shellcheck,deadnix,statix) — declare only onx86_64-linux(the CI system). Source files are identical across systems.module-eval) — userunCommandLocalinstead ofrunCommandso they don't require platform-specific builders.Follow-up PRs to nix-home, nix-darwin, nix-ai (and any other affected consumers) will apply the flake-level fix so
--all-systemssucceeds with no opt-out needed.Test plan
all_systems: falsein their_ci-gate.ymlcaller and observe--all-systemsis dropped from thenix flake checkinvocationall_systems