ci(nix): Move flake version+hash sync into release pipeline

edenreich · edenreich · commit 60d7d440c4ff · 2026-05-13T20:16:59.000+02:00
Replaces the per-PR auto-fix workflow with in-release synchronization.
The release pipeline now installs Determinate Nix and the prepareCmd
runs `determinate-nixd fix hashes --auto-apply flake.nix` alongside
the version sed, so the release commit always has both correct
`version =` and correct `vendorHash`. Tags become self-consistent,
which is what's needed for cross-repo Flox manifests pinning to
`github:inference-gateway/cli/v&lt;tag&gt;`.

Reverts the nix-build.yml path filter additions for go.mod/go.sum.
Without the auto-fix workflow, those filters would just produce noisy
red CI on every Dependabot PR. nix-build now only runs when flake.nix
itself changes.

Removes nix-fix-hashes.yml. Dependabot PRs no longer auto-resolve
vendorHash on the PR branch — `main` may have stale vendorHash
between releases, but each release pipeline refreshes it. Trade-off:
`nix build github:inference-gateway/cli` (default branch) may fail
mid-cycle; pin to tags for reliability.

Release pipeline cost: ~30-60s for Determinate Nix install + a few
seconds for `fix hashes` (mostly cached after first release).
diff --git a/.github/workflows/nix-build.yml b/.github/workflows/nix-build.yml
@@ -1,3 +1,4 @@
+---
 name: Nix Build Verification
 
 concurrency:
@@ -11,17 +12,13 @@ on:
     paths:
       - 'flake.nix'
       - 'flake.lock'
-      - 'go.mod'
-      - 'go.sum'
       - '.github/workflows/nix-build.yml'
   push:
     branches:
       - main
     paths:
       - 'flake.nix'
       - 'flake.lock'
-      - 'go.mod'
-      - 'go.sum'
       - '.github/workflows/nix-build.yml'
   workflow_dispatch:
 
diff --git a/.github/workflows/nix-fix-hashes.yml b/.github/workflows/nix-fix-hashes.yml
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -71,6 +71,9 @@ jobs:
             conventional-changelog-conventionalcommits@9.1.0 \
             conventional-changelog-cli@5.0.0
 
+      - name: Install Determinate Nix
+        uses: DeterminateSystems/determinate-nix-action@v3
+
       - name: Check for existing releases
         id: check_releases
         env:
diff --git a/.releaserc.yaml b/.releaserc.yaml
@@ -90,6 +90,7 @@ plugins:
   - - "@semantic-release/exec"
     - prepareCmd: |
         sed -i.bak 's|version = "[^"]*";|version = "${nextRelease.version}";|' flake.nix && rm flake.nix.bak
+        determinate-nixd fix hashes --auto-apply flake.nix
 
   - - "@semantic-release/git"
     - assets:
