From 52598febeb3fcb779bd292612dc23dec7eb805e4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tibor=20Cs=C3=B3ka?= Date: Wed, 17 Jun 2026 11:21:48 +0200 Subject: [PATCH 1/6] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'nixpkgs': 'github:NixOS/nixpkgs/fdc7b8f7b30fdbedec91b71ed82f36e1637483ed?narHash=sha256-a%2B%2BtZ1RQsDb1I0NHrFwdGuRlR5TORvCEUksM459wKUA%3D' (2026-03-23) → 'github:NixOS/nixpkgs/d6df3513510aa548c83868fd22bfddd0a8c0a0d4?narHash=sha256-uJZs9Di8I6ciTp6jiojj0HzlNpBkud8ax5aT/O5aJkw%3D' (2026-06-15) • Added input 'pre-commit': 'github:cachix/git-hooks.nix/61ab0e80d9c7ab14c256b5b453d8b3fb0189ba0a?narHash=sha256-kTwur1wV%2B01SdqskVMSo6JMEpg71ps3HpbFY2GsflKs%3D' (2026-05-11) • Added input 'pre-commit/flake-compat': 'github:NixOS/flake-compat/5edf11c44bc78a0d334f6334cdaf7d60d732daab?narHash=sha256-vNpUSpF5Nuw8xvDLj2KCwwksIbjua2LZCqhV1LNRDns%3D' (2025-12-29) • Added input 'pre-commit/gitignore': 'github:hercules-ci/gitignore.nix/637db329424fd7e46cf4185293b9cc8c88c95394?narHash=sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs%3D' (2024-02-28) • Added input 'pre-commit/gitignore/nixpkgs': follows 'pre-commit/nixpkgs' • Added input 'pre-commit/nixpkgs': follows 'nixpkgs' --- flake.lock | 74 +++++++++++++++++++++++++++++++++++++++++++++++++----- 1 file changed, 68 insertions(+), 6 deletions(-) diff --git a/flake.lock b/flake.lock index 4739c73c..910f9c83 100644 --- a/flake.lock +++ b/flake.lock @@ -1,5 +1,21 @@ { "nodes": { + "flake-compat": { + "flake": false, + "locked": { + "lastModified": 1767039857, + "narHash": "sha256-vNpUSpF5Nuw8xvDLj2KCwwksIbjua2LZCqhV1LNRDns=", + "owner": "NixOS", + "repo": "flake-compat", + "rev": "5edf11c44bc78a0d334f6334cdaf7d60d732daab", + "type": "github" + }, + "original": { + "owner": "NixOS", + "repo": "flake-compat", + "type": "github" + } + }, "flake-utils": { "inputs": { "systems": "systems" @@ -18,24 +34,70 @@ "type": "github" } }, + "gitignore": { + "inputs": { + "nixpkgs": [ + "pre-commit", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1709087332, + "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=", + "owner": "hercules-ci", + "repo": "gitignore.nix", + "rev": "637db329424fd7e46cf4185293b9cc8c88c95394", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "gitignore.nix", + "type": "github" + } + }, "nixpkgs": { "locked": { - "lastModified": 1774273680, - "narHash": "sha256-a++tZ1RQsDb1I0NHrFwdGuRlR5TORvCEUksM459wKUA=", + "lastModified": 1781509190, + "narHash": "sha256-uJZs9Di8I6ciTp6jiojj0HzlNpBkud8ax5aT/O5aJkw=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "fdc7b8f7b30fdbedec91b71ed82f36e1637483ed", + "rev": "d6df3513510aa548c83868fd22bfddd0a8c0a0d4", "type": "github" }, "original": { - "id": "nixpkgs", - "type": "indirect" + "owner": "NixOS", + "ref": "nixos-25.11", + "repo": "nixpkgs", + "type": "github" + } + }, + "pre-commit": { + "inputs": { + "flake-compat": "flake-compat", + "gitignore": "gitignore", + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1778507602, + "narHash": "sha256-kTwur1wV+01SdqskVMSo6JMEpg71ps3HpbFY2GsflKs=", + "owner": "cachix", + "repo": "git-hooks.nix", + "rev": "61ab0e80d9c7ab14c256b5b453d8b3fb0189ba0a", + "type": "github" + }, + "original": { + "owner": "cachix", + "repo": "git-hooks.nix", + "type": "github" } }, "root": { "inputs": { "flake-utils": "flake-utils", - "nixpkgs": "nixpkgs" + "nixpkgs": "nixpkgs", + "pre-commit": "pre-commit" } }, "systems": { From f2fd94c87b95f17c9448b2caa878fe574e061ed7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tibor=20Cs=C3=B3ka?= Date: Wed, 17 Jun 2026 11:25:57 +0200 Subject: [PATCH 2/6] feat(ci): add actionlint + pinact pre-commit hooks for workflow validation Adds two pre-commit hooks via cachix/git-hooks.nix: - actionlint: static YAML/expression/shell validation for workflow files - pinact: enforces SHA pinning and resolves each ref against GitHub API Also pins any previously unpinned third-party action refs to SHAs. Exports GITHUB_TOKEN in devshell shellHook for authenticated local runs. Adds .github/actionlint.yaml to register self-hosted runner label. Co-Authored-By: Claude Sonnet 4.6 --- .github/actionlint.yaml | 3 + .github/workflows/pr.yaml | 2 +- flake.nix | 118 +++++++++++++++++++++++++------------- 3 files changed, 82 insertions(+), 41 deletions(-) create mode 100644 .github/actionlint.yaml diff --git a/.github/actionlint.yaml b/.github/actionlint.yaml new file mode 100644 index 00000000..daea9469 --- /dev/null +++ b/.github/actionlint.yaml @@ -0,0 +1,3 @@ +self-hosted-runner: + labels: + - self-hosted-hoprnet-small diff --git a/.github/workflows/pr.yaml b/.github/workflows/pr.yaml index b5064996..806f2d7e 100644 --- a/.github/workflows/pr.yaml +++ b/.github/workflows/pr.yaml @@ -22,7 +22,7 @@ jobs: permissions: pull-requests: read steps: - - uses: amannn/action-semantic-pull-request@48f256284bd46cdaab1048c3721360e808335d50 # v6 + - uses: amannn/action-semantic-pull-request@48f256284bd46cdaab1048c3721360e808335d50 # v6.1.1 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: diff --git a/flake.nix b/flake.nix index d1d32568..6e834109 100644 --- a/flake.nix +++ b/flake.nix @@ -3,51 +3,89 @@ inputs = { flake-utils.url = "github:numtide/flake-utils"; + nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.11"; + pre-commit.url = "github:cachix/git-hooks.nix"; + pre-commit.inputs.nixpkgs.follows = "nixpkgs"; }; - outputs = { self, nixpkgs, flake-utils}: - flake-utils.lib.eachDefaultSystem - (system: - let - pkgs = nixpkgs.legacyPackages.${system}; - pkgsLinux = nixpkgs.legacyPackages."x86_64-linux"; + outputs = + { + self, + nixpkgs, + flake-utils, + pre-commit, + }: + flake-utils.lib.eachDefaultSystem ( + system: + let + pkgs = nixpkgs.legacyPackages.${system}; + pkgsLinux = nixpkgs.legacyPackages."x86_64-linux"; - dockerBuild = pkgs.writeShellApplication { - name = "dockerBuild"; - runtimeInputs = [ - pkgs.docker - pkgs.coreutils - ]; - text = '' - #!/usr/bin/env bash - set -euo pipefail + dockerBuild = pkgs.writeShellApplication { + name = "dockerBuild"; + runtimeInputs = [ + pkgs.docker + pkgs.coreutils + ]; + text = '' + #!/usr/bin/env bash + set -euo pipefail - echo "[+] Building: hopr-admin:latest" - docker build --platform linux/amd64 -t hopr-admin:latest -f ./Dockerfile . - echo "[✓] Done: hopr-admin:latest" - ''; - }; + echo "[+] Building: hopr-admin:latest" + docker build --platform linux/amd64 -t hopr-admin:latest -f ./Dockerfile . + echo "[✓] Done: hopr-admin:latest" + ''; + }; - in - { - devShells.default = import ./shell.nix { inherit pkgs; }; - devShells.ci = pkgs.mkShell { - nativeBuildInputs = [ - pkgs.zizmor - ]; + pre-commit-check = pre-commit.lib.${system}.run { + src = ./.; + hooks = { + check-executables-have-shebangs.enable = true; + check-shebang-scripts-are-executable.enable = true; + check-case-conflicts.enable = true; + check-symlinks.enable = true; + check-merge-conflicts.enable = true; + check-added-large-files.enable = true; + commitizen.enable = true; + actionlint.enable = true; + pinact = { + enable = true; + name = "pinact"; + description = "Check GitHub Action refs are SHA-pinned and resolvable"; + entry = "${pkgs.pinact}/bin/pinact run --check"; + files = "\\.ya?ml$"; + language = "system"; + pass_filenames = false; + }; }; + tools = pkgs; + }; + in + { + devShells.default = pkgs.mkShell { + inputsFrom = [ (import ./shell.nix { inherit pkgs; }) ]; + shellHook = '' + ${pre-commit-check.shellHook} + export GITHUB_TOKEN="$(gh auth token 2>/dev/null || true)" + ''; + }; + devShells.ci = pkgs.mkShell { + nativeBuildInputs = [ + pkgs.zizmor + ]; + }; - # Expose as flake as app - apps = { - docker-x86_64-linux = { - type = "app"; - program = "${dockerBuild}/bin/dockerBuild"; - }; - default = { - type = "app"; - program = "${dockerBuild}/bin/dockerBuild"; - }; + # Expose as flake as app + apps = { + docker-x86_64-linux = { + type = "app"; + program = "${dockerBuild}/bin/dockerBuild"; + }; + default = { + type = "app"; + program = "${dockerBuild}/bin/dockerBuild"; }; - } - ); -} \ No newline at end of file + }; + } + ); +} From 8812d71f61cc49342372f62f41ca4d0b53d56156 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tibor=20Cs=C3=B3ka?= Date: Wed, 17 Jun 2026 15:32:51 +0200 Subject: [PATCH 3/6] fix(ci): escape ${ in Nix shellHook GITHUB_TOKEN guard --- flake.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/flake.nix b/flake.nix index 6e834109..e98fbcd2 100644 --- a/flake.nix +++ b/flake.nix @@ -53,7 +53,7 @@ name = "pinact"; description = "Check GitHub Action refs are SHA-pinned and resolvable"; entry = "${pkgs.pinact}/bin/pinact run --check"; - files = "\\.ya?ml$"; + files = "^\\.github/workflows/.*\\.ya?ml$"; language = "system"; pass_filenames = false; }; @@ -66,7 +66,7 @@ inputsFrom = [ (import ./shell.nix { inherit pkgs; }) ]; shellHook = '' ${pre-commit-check.shellHook} - export GITHUB_TOKEN="$(gh auth token 2>/dev/null || true)" + export GITHUB_TOKEN="''${GITHUB_TOKEN:-$(gh auth token 2>/dev/null || true)}" ''; }; devShells.ci = pkgs.mkShell { From ea011f6f4d0ec1f00441708e016c020c9a6bcdf8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tibor=20Cs=C3=B3ka?= Date: Wed, 17 Jun 2026 16:47:46 +0200 Subject: [PATCH 4/6] fix(ci): add gh to devshell and export GITHUB_TOKEN before pre-commit shellHook Co-Authored-By: Claude Sonnet 4.6 --- flake.nix | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/flake.nix b/flake.nix index e98fbcd2..7bf250ec 100644 --- a/flake.nix +++ b/flake.nix @@ -64,9 +64,10 @@ { devShells.default = pkgs.mkShell { inputsFrom = [ (import ./shell.nix { inherit pkgs; }) ]; + buildInputs = [ pkgs.gh ]; shellHook = '' - ${pre-commit-check.shellHook} export GITHUB_TOKEN="''${GITHUB_TOKEN:-$(gh auth token 2>/dev/null || true)}" + ${pre-commit-check.shellHook} ''; }; devShells.ci = pkgs.mkShell { From 7e26962a64beac4536c0da46db0bad2af52b9820 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tibor=20Cs=C3=B3ka?= Date: Wed, 17 Jun 2026 18:45:10 +0200 Subject: [PATCH 5/6] fix(ci): guard pinact with GITHUB_TOKEN check; use pkgs.renovate for config validation Co-Authored-By: Claude Sonnet 4.6 --- flake.nix | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/flake.nix b/flake.nix index 7bf250ec..329d1cbb 100644 --- a/flake.nix +++ b/flake.nix @@ -52,7 +52,15 @@ enable = true; name = "pinact"; description = "Check GitHub Action refs are SHA-pinned and resolvable"; - entry = "${pkgs.pinact}/bin/pinact run --check"; + entry = "${pkgs.writeShellScript "pinact-check" '' + token="''${GITHUB_TOKEN:-$(${pkgs.gh}/bin/gh auth token 2>/dev/null || true)}" + if [ -z "$token" ]; then + echo "pinact: skipping — no GITHUB_TOKEN and gh not authenticated" >&2 + exit 0 + fi + export GITHUB_TOKEN="$token" + exec ${pkgs.pinact}/bin/pinact run --check + ''}"; files = "^\\.github/workflows/.*\\.ya?ml$"; language = "system"; pass_filenames = false; From 6bf4adba3095569ba15f56af4f04df307e81a0e3 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 18 Jun 2026 10:28:35 +0000 Subject: [PATCH 6/6] fix(nix): upgrade pkgs.docker to pkgs.docker_29 to resolve insecure package error --- flake.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/flake.nix b/flake.nix index 329d1cbb..4d4fa588 100644 --- a/flake.nix +++ b/flake.nix @@ -24,7 +24,7 @@ dockerBuild = pkgs.writeShellApplication { name = "dockerBuild"; runtimeInputs = [ - pkgs.docker + pkgs.docker_29 pkgs.coreutils ]; text = ''