ci(nix): Replace standalone package.nix with flake.nix (#508)

## Summary

Adds Nix flake support for consuming `infer` from any flake-aware tool —
most notably as a Flox manifest entry across other repos. Replaces the
standalone `nix/package.nix` with a single `flake.nix` at the repo root,
and syncs `version` + `vendorHash` as part of each release commit so
tags are self-consistent.

### Pin from Flox

```toml
[install]
infer.flake = "github:inference-gateway/cli/v0.110.0"   # recommended: pin to tag
infer.flake = "github:inference-gateway/cli"            # latest default branch
```

Tag pins are the reliable path — the release commit refreshes both
`version =` and `vendorHash`, so every tagged version builds cleanly in
a fresh checkout.

### Changes

1. **NEW `flake.nix`** — multi-platform (`aarch64`/`x86_64` ×
`linux`/`darwin`) `buildGoModule` derivation. `proxyVendor = true`
(still required by `robotgo`'s CGO header layout) and `goSum =
./go.sum;` for reliability across nixpkgs upgrades. Exposes
`packages.<system>.{default,infer}`, `apps.default`, and
`devShells.default`.
2. **DELETED `nix/` folder** — `package.nix`, `default.nix`,
`update-hashes.sh`, and the `nixpkgs-submission/` scaffolding. Single
source of truth.
3. **MIGRATED `nix-build.yml`** — switched from `nix-build` to `nix
build .#infer` + `nix flake check --all-systems`. Only triggers on
`flake.nix`/`flake.lock` changes.
4. **UPDATED `release.yml` + `.releaserc.yaml`** — added Determinate Nix
install + `@semantic-release/exec` with a `prepareCmd` that:
   - seds `version =` in `flake.nix`
- runs `determinate-nixd fix hashes --auto-apply flake.nix` to refresh
`vendorHash`
- `flake.nix` is committed alongside `CHANGELOG.md` via
`@semantic-release/git`'s `assets`
5. **DELETED `nix-version-sync.yml`** — its job is now done inside the
release commit itself, not in a follow-up PR.

### Release pipeline impact

~30-60s for Determinate Nix install + a few seconds for `fix hashes` per
release. Subsequent releases are mostly cached.

### Mid-cycle staleness (known trade-off)

Between releases, `main` may have stale `vendorHash` if Dependabot
bumped `go.mod`/`go.sum`. `nix build github:inference-gateway/cli`
(default branch) may fail during these windows. Each release pipeline
refreshes it. **Pin to tags for reliability** — this is the recommended
consumption pattern for cross-repo Flox manifests anyway.

## Test plan

- [x] `nix flake check --all-systems --no-build` evaluates cleanly on
all 4 platforms
- [x] `nix build .#infer` succeeds locally → `result/bin/infer version`
reports `0.109.3`
- [x] `nixfmt --check flake.nix` + `statix check flake.nix` pass
- [x] **Flox integration A** (local `path:` ref): `flox activate --
infer version` works against working tree
- [x] **Flox integration B** (remote `github:` ref): `flox activate --
infer version` works against this pushed branch
- [ ] CI `Nix Build Verification` matrix passes on all 4 platforms
- [ ] First release after merge: confirm release commit includes both
`CHANGELOG.md` and `flake.nix` updates, and `nix build
github:inference-gateway/cli/v<new>#infer` succeeds in a clean checkout

🤖 Generated with [Claude Code](https://claude.com/claude-code)

---------

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: edenreich

.github/workflows/nix-build.yml

@@ -1,3 +1,4 @@
+---
 name: Nix Build Verification
 
 concurrency:
@@ -9,13 +10,15 @@ on:
     branches:
       - main
     paths:
-      - 'nix/**'
+      - 'flake.nix'
+      - 'flake.lock'
       - '.github/workflows/nix-build.yml'
   push:
     branches:
       - main
     paths:
-      - 'nix/**'
+      - 'flake.nix'
+      - 'flake.lock'
       - '.github/workflows/nix-build.yml'
   workflow_dispatch:
 
@@ -53,7 +56,7 @@ jobs:
 
       - name: Build with Nix
         run: |
-          nix-build nix/default.nix --show-trace
+          nix build .#infer --show-trace --print-build-logs
 
       - name: Verify binary
         run: |
@@ -93,15 +96,15 @@ jobs:
 
       - name: Check Nix formatting (nixfmt-rfc-style)
         run: |
-          nix-shell -p nixfmt-rfc-style --run "nixfmt --check nix/package.nix nix/default.nix"
+          nix-shell -p nixfmt-rfc-style --run "nixfmt --check flake.nix"
 
       - name: Lint with statix
         run: |
-          nix-shell -p statix --run "statix check nix/"
+          nix-shell -p statix --run "statix check flake.nix"
 
-      - name: Evaluate Nix expression
+      - name: Check flake evaluates on all systems
         run: |
-          nix-instantiate --eval --strict nix/default.nix --show-trace
+          nix flake check --all-systems --no-build --show-trace
 
   summary:
     name: Build Summary
@@ -124,4 +127,4 @@ jobs:
             exit 1
           fi
 
-          echo "✅ All Nix build checks passed!"
+          echo "All Nix build checks passed!"

.github/workflows/nix-version-sync.yml

@@ -65,11 +65,15 @@ jobs:
             @semantic-release/commit-analyzer@13.0.1 \
             @semantic-release/release-notes-generator@14.1.0 \
             @semantic-release/changelog@6.0.3 \
+            @semantic-release/exec@7.1.0 \
             @semantic-release/git@10.0.1 \
             @semantic-release/github@1.0.0 \
             conventional-changelog-conventionalcommits@9.1.0 \
             conventional-changelog-cli@5.0.0
 
+      - name: Install Determinate Nix
+        uses: DeterminateSystems/determinate-nix-action@v3
+
       - name: Check for existing releases
         id: check_releases
         env:

.github/workflows/release.yml

@@ -87,9 +87,15 @@ plugins:
         The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
         and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+  - - "@semantic-release/exec"
+    - prepareCmd: |
+        sed -i.bak 's|version = "[^"]*";|version = "${nextRelease.version}";|' flake.nix && rm flake.nix.bak
+        determinate-nixd fix hashes --auto-apply flake.nix
+
   - - "@semantic-release/git"
     - assets:
         - CHANGELOG.md
+        - flake.nix
       message: |
         chore(release): ${nextRelease.version} [skip ci]
 
@@ -124,6 +130,21 @@ plugins:
         curl -fsSL https://raw.githubusercontent.com/inference-gateway/cli/main/install.sh | bash -s -- --install-dir $HOME/.local/bin
         ```
 
+        ### Nix Flake
+
+        Run directly without installing:
+
+        ```bash
+        nix run github:inference-gateway/cli/<%= nextRelease.gitTag %>
+        ```
+
+        Or pin it in a [Flox](https://flox.dev) manifest (`.flox/env/manifest.toml`):
+
+        ```toml
+        [install]
+        infer.flake = "github:inference-gateway/cli/<%= nextRelease.gitTag %>"
+        ```
+
         ### Binary Download
 
         Download the appropriate binary for your platform from the assets below.