feat(nix): add package validation and pinned lock regeneration

[elucid]

Summary

• add a dedicated Nix workflow that verifies the generated dependency lock, checks flake outputs, builds the package, and smoke-tests the installed binary
• expose a named hunk package plus nix run app outputs, including a pinned update-bun-lock app used by bun run nix:update-lock
• document nix run, named package builds, and pinned lock regeneration
• pin @types/bun to the locked version so bun2nix regeneration is reproducible and warning-free

Verification

• bun run format:check
• bun run nix:update-lock && git diff --exit-code nix/bun.lock.nix
• nix flake check --print-build-logs
• nix build .#default --print-build-logs
• nix run . -- --version
• nix flake check --all-systems --no-build

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	@​types/​bun@​1.3.13 ⏵ 1.3.10

View full report

[greptile-apps]

Greptile Summary

This PR moves Nix-specific CI validation into a dedicated nix.yml workflow and enriches the flake with named package and app outputs. It also pins @types/bun to the project's locked Bun version to make bun2nix regeneration reproducible.

• Nix workflow: a new nix.yml runs lockfile drift detection (via the new flake-pinned update-bun-lock app), nix flake check, nix build, and a smoke test against the built binary; the equivalent inline steps are removed from ci.yml and pr-ci.yml.
• Flake outputs: packages.hunk is exposed as a named output (with default aliased to it), and a new apps section provides both a nix run entry point and the pinned update-bun-lock maintenance tool.
• Developer tooling: bun run nix:update-lock now delegates to nix run .#update-bun-lock, ensuring the same bun2nix version is used locally and in CI; the README documents the Nix prerequisite.

Confidence Score: 4/5

Safe to merge; changes are additive and well-scoped to Nix packaging infrastructure with no impact on the core application.

The core logic — moving lockfile verification into a dedicated workflow, exposing named flake outputs, and pinning @types/bun — is correct and consistent with the rest of the codebase. The two observations are minor: the duplicate nixpkgs import across packages and apps is an evaluation-time inefficiency, and the Nix workflow only exercises x86_64-linux, leaving Darwin and ARM evaluation untested in CI.

flake.nix (duplicate nixpkgs instantiation) and .github/workflows/nix.yml (single-platform coverage) are worth a second look before merging.

Important Files Changed

Filename	Overview
flake.nix	Adds named hunk package output aliased to default, and a new apps section exposing nix run and the pinned update-bun-lock tool; duplicates nixpkgs instantiation across packages and apps blocks.
.github/workflows/nix.yml	New dedicated Nix CI workflow covering lockfile drift detection, nix flake check, package build, and smoke tests; only validates x86_64-linux — no cross-system evaluation check.
.github/workflows/ci.yml	Removes Nix lockfile verification step now handled by the dedicated nix.yml workflow.
.github/workflows/pr-ci.yml	Removes Nix lockfile verification step now handled by the dedicated nix.yml workflow.
package.json	Updates nix:update-lock to delegate to the flake-pinned nix run .#update-bun-lock and pins @types/bun to 1.3.10 for reproducible Nix builds.
nix/README.md	Documents the new named package output, nix run usage, and that the update script requires Nix.
bun.lock	Pins @types/bun from latest to 1.3.10 matching the project's locked Bun version.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    PR[Pull Request / Push to main]
    PR --> NIX[nix.yml: Nix Workflow]
    PR --> CI[ci.yml / pr-ci.yml: Bun CI]

    NIX --> LOCK[Verify Nix lockfile\nnix run .#update-bun-lock\ngit diff nix/bun.lock.nix]
    NIX --> CHECK[nix flake check\n--print-build-logs]
    NIX --> BUILD[nix build .#default\n--print-build-logs]
    NIX --> SMOKE[Smoke test\nhunk --version\nhunk skill path]

    LOCK -->|drift detected| FAIL[Fail: regenerate lockfile]
    LOCK -->|up to date| CHECK
    CHECK --> BUILD
    BUILD --> SMOKE

    subgraph flake.nix outputs
        PKG[packages.hunk\npackages.default]
        APP_DEFAULT[apps.default\nnix run .]
        APP_UPDATE[apps.update-bun-lock\nbun run nix:update-lock]
    end

    APP_UPDATE --> LOCK
    BUILD --> PKG
    APP_DEFAULT --> PKG

Loading

Prompt To Fix All With AI

Fix the following 2 code review issues. Work through them one at a time, proposing concise fixes.

---

### Issue 1 of 2
flake.nix:45-68
**Duplicate nixpkgs instantiation in `apps`**

The `apps` block instantiates `pkgs = import nixpkgs { inherit system; };` independently from the `packages` block, which does the same. Every call to `forAllSystems` in `apps` and `packages` produces a separate `nixpkgs` evaluation per system, doubling the import cost at evaluation time. Since `devShells` already follows this pattern, the same fix could apply to all three: share a single `pkgs` via a unified `forAllSystems` call or hoist `pkgs` into the outer `let` binding with `forAllSystems`.

### Issue 2 of 2
.github/workflows/nix.yml:46-47
**`nix flake check` only validates the current system's outputs**

Without `--all-systems`, `nix flake check` only evaluates and builds outputs for `x86_64-linux` (the runner's platform). The flake declares four supported systems (`x86_64-linux`, `aarch64-linux`, `x86_64-darwin`, `aarch64-darwin`), so Darwin and ARM builds are never CI-verified. Adding `--no-build` to a second `nix flake check --all-systems --no-build` step (consistent with the verification steps listed in the PR description) would at least catch evaluation errors across all systems without requiring cross-compilation builders.

_{Reviews (1): Last reviewed commit: "feat(nix): add package validation and pi..." | Re-trigger Greptile}

[elucid]

Note for maintainers

CI now validates that nix/bun.lock.nix stays in sync with bun.lock. If you update JavaScript/Bun dependencies and don't regenerate the Nix lockfile, the Package CI job will fail with a clear error.

To regenerate, you need Nix installed (one-time setup: curl -L https://nixos.org/nix/install | sh), then run:

bun install
bun run nix:update-lock
git add bun.lock nix/bun.lock.nix package.json

If a contributor doesn't have Nix, CI will catch the drift and a maintainer with Nix can push the regenerated lockfile as a follow-up commit.