treewide: add developer shell and pre-commit hooks and improve workflows (#519)

Add developer shells with direnv integration and the deadnix, hlint,
nixfmt-rfc-style, statix, stylish-haskell, typos, and yamllint
pre-commit hooks.

Ensure 'nix flake check' works as expected and add the nix-flake-check
package, which is a parallelized alternative to 'nix flake check'.

Improve and update the GitHub workflows.

Closes: #236
Link: #519

Approved-by: Daniel Thwaites <[email protected]>

Author: trueNAHO

.envrc

@@ -0,0 +1 @@
+use flake

.github/workflows/backport.yml

@@ -1,45 +1,44 @@
-# Derived from https://github.com/NixOS/nixpkgs/blob/2ab6f6d61630889491f86396b27a76ffb6fbc7bb/.github/workflows/backport.yml
-
+---
+# Derived from
+# https://github.com/NixOS/nixpkgs/blob/2ab6f6d61630889491f86396b27a76ffb6fbc7bb/.github/workflows/backport.yml
 name: Backport
 
-on:
+on:  # yamllint disable-line rule:truthy
   pull_request_target:
     types: [closed, labeled]
 
 permissions: {}
 
 jobs:
   backport:
-    name: Backport
     runs-on: ubuntu-latest
 
     if: >
       (
         github.repository_owner == 'danth' &&
         github.event.pull_request.merged == true &&
-        (github.event_name != 'labeled' || startsWith('backport', github.event.label.name))
+        (
+          github.event_name != 'labeled' ||
+          startsWith('backport', github.event.label.name)
+        )
       )
 
     steps:
       # Use a GitHub App rather than the default token so that GitHub Actions
       # workflows may run on the created pull request.
-      - name: Create GitHub access token
-        uses: actions/create-github-app-token@v1
+      - uses: actions/create-github-app-token@v1
         id: app-token
         with:
           app-id: ${{ vars.BACKPORT_APP_ID }}
           private-key: ${{ secrets.BACKPORT_PRIVATE_KEY }}
 
-      - name: Checkout original pull request
-        uses: actions/checkout@v4
+      - uses: actions/checkout@v4
         with:
           ref: ${{ github.event.pull_request.head.sha }}
           token: ${{ steps.app-token.outputs.token }}
 
-      - name: Create backport pull request
-        uses: korthout/backport-action@v3
+      - uses: korthout/backport-action@v3
         with:
           github_token: ${{ steps.app-token.outputs.token }}
           pull_title: "[${target_branch}] ${pull_title}"
-          pull_description: |-
-            This is an automated backport of #${pull_number}.
+          pull_description: "This is an automated backport of #${pull_number}."

.github/workflows/build.yml

@@ -0,0 +1,83 @@
+---
+name: Check
+
+on:  # yamllint disable-line rule:truthy
+  push:
+
+permissions:
+  contents: read
+
+jobs:
+  get-derivations:
+    runs-on: ubuntu-24.04
+
+    steps:
+      - uses: DeterminateSystems/nix-installer-action@v16
+      - uses: DeterminateSystems/magic-nix-cache-action@v8
+
+      - id: get-derivations
+        run: |
+          nix flake show --json \
+            github:${{
+              github.repository
+            }}/${{
+              github.event.pull_request.head.sha || github.sha
+            }} |
+            jq --raw-output '
+              def format_output($arch; $type):
+                {
+                  arch: $arch,
+                  key: .,
+
+                  os: (
+                    if $arch == "x86_64-linux" then
+                      "ubuntu-24.04"
+                    else
+                      "macos-14"
+                    end
+                  ),
+
+                  type: $type
+                };
+
+              [
+                ["x86_64-linux", "x86_64-darwin"][] as $arch |
+                (.checks[$arch] | keys) as $checks |
+                (.packages[$arch] | keys) as $packages |
+                (($checks - $packages)[] | format_output($arch; "checks")),
+                ($packages[] | format_output($arch; "packages"))
+              ] |
+              "derivations=\(.)"
+            ' >> $GITHUB_OUTPUT
+
+    outputs:
+      derivations: ${{ steps.get-derivations.outputs.derivations }}
+
+  check:
+    runs-on: ${{ matrix.check.os }}
+
+    name: ${{ matrix.check.key }} on ${{ matrix.check.arch }}
+    needs: get-derivations
+
+    strategy:
+      fail-fast: false
+      matrix:
+        check: ${{ fromJSON(needs.get-derivations.outputs.derivations) }}
+
+    steps:
+      - uses: DeterminateSystems/nix-installer-action@v16
+      - uses: DeterminateSystems/magic-nix-cache-action@v8
+
+      - run: |
+          nix build --no-update-lock-file --print-build-logs \
+            github:${{
+              github.repository
+            }}/${{
+              github.event.pull_request.head.sha || github.sha
+            }}#${{
+              matrix.check.type
+            }}.${{
+              matrix.check.arch
+            }}.${{
+              matrix.check.key
+            }}

.github/workflows/check.yml

@@ -1,57 +1,36 @@
+---
 name: Docs
 
-on:
+on:  # yamllint disable-line rule:truthy
   push:
     branches:
       - master
 
+concurrency:
+  cancel-in-progress: true
+  group: pages
+
 jobs:
-  build:
-    name: Build
+  docs:
+    runs-on: ubuntu-24.04
 
     permissions:
       contents: read
-
-    runs-on: ubuntu-latest
-
-    steps:
-      - name: Install Nix
-        uses: DeterminateSystems/nix-installer-action@main
-        with:
-          github-token: ${{ secrets.GITHUB_TOKEN }}
-          extra-conf: |
-            extra-experimental-features = nix-command flakes
-
-      - name: Set up cache
-        uses: DeterminateSystems/magic-nix-cache-action@main
-
-      - name: Build docs
-        run: nix -L build github:${{ github.repository }}/${{ github.sha }}#docs
-
-      - name: Prepare docs for upload
-        run: cp -r --dereference --no-preserve=mode,ownership result/ public/
-
-      - name: Upload artifact
-        uses: actions/upload-pages-artifact@v3
-        with:
-          path: public/
-
-  deploy:
-    name: Deploy
-
-    needs: build
-
-    permissions:
-      pages: write
       id-token: write
+      pages: write
 
     environment:
       name: github-pages
       url: ${{ steps.deployment.outputs.page_url }}
 
-    runs-on: ubuntu-latest
-
     steps:
-      - name: Deploy docs to GitHub Pages
-        id: deployment
-        uses: actions/deploy-pages@v4
+      - uses: actions/checkout@v4
+      - uses: DeterminateSystems/nix-installer-action@v16
+      - uses: DeterminateSystems/magic-nix-cache-action@v8
+      - run: nix build .#docs
+
+      - uses: actions/upload-pages-artifact@v3
+        with:
+          path: result
+
+      - uses: actions/deploy-pages@v4

.github/workflows/docs.yml

@@ -1,2 +1,4 @@
+/.direnv/
+/.pre-commit-config.yaml
 result
 result-*

.github/workflows/lint.yml

@@ -1,6 +1,9 @@
-(import (let lock = builtins.fromJSON (builtins.readFile ./flake.lock);
-in fetchTarball {
-  url =
-    "https://github.com/edolstra/flake-compat/archive/${lock.nodes.flake-compat.locked.rev}.tar.gz";
-  sha256 = lock.nodes.flake-compat.locked.narHash;
-}) { src = ./.; }).defaultNix
+(import (
+  let
+    lock = builtins.fromJSON (builtins.readFile ./flake.lock);
+  in
+  fetchTarball {
+    url = "https://github.com/edolstra/flake-compat/archive/${lock.nodes.flake-compat.locked.rev}.tar.gz";
+    sha256 = lock.nodes.flake-compat.locked.narHash;
+  }
+) { src = ./.; }).defaultNix