chore(nix): improve flake with dynamic version and build optimization

[jerome-benoit]

Summary

Improves Nix flake maintainability and build performance with dynamic version reading and source filtering.

Changes

Nix flake (flake.nix)

• Read version dynamically from package.json instead of hardcoding
• Add lib.fileset source filtering to exclude node_modules/ and build artifacts
• Extract lib for cleaner code

Update script (scripts/update-flake.sh)

• Support dynamic version pattern (no longer updates version field)
• Detect when hash is already up-to-date (skip unnecessary rebuilds)
• Improve error handling with automatic rollback
• Add colored output and better UX

CI (ci.yml)

• Bump nix-installer-action: v13 → v21
• Bump magic-nix-cache-action: v8 → v13
• Update validation to handle unchanged flake.nix correctly

Documentation

• Update scripts/README.md to reflect dynamic version behavior
• Update specs to document new behavior

Testing

• ✅ nix flake check passes
• ✅ scripts/update-flake.sh detects up-to-date hash
• ✅ scripts/update-flake.sh corrects incorrect hash
• ✅ Build succeeds with filtered sources
• ✅ Version correctly reads as 0.23.0 from package.json

Motivation

• Reduces maintenance: Version synced automatically, no manual updates needed
• Improves builds: Source filtering reduces Nix store bloat and speeds up builds
• Better DX: Script provides clear feedback and handles errors gracefully

Summary by CodeRabbit

• Chores

  • CI actions updated to newer Nix-related versions for improved reliability.
  • Packaging now reads project version dynamically and refines source selection to exclude build artifacts.
  • Update utility rewritten to compute and apply dependency hashes more robustly, detect when hashes are already current, and skip unnecessary rebuilds.
  • Enhanced colored output and clearer success/error messaging.

• Documentation

  • Scripts docs updated to reflect the new hash-focused workflow and usage.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Note

Other AI code review bot(s) detected

CodeRabbit has detected other AI code review bot(s) in this pull request and will avoid duplicating their findings in the review comments. This may lead to a less comprehensive review.

📝 Walkthrough

Walkthrough

This PR updates Nix flake maintenance: flake.nix reads version from package.json and uses a fileset for src; update-flake.sh uses a placeholder hash to derive/skip updates and improves extraction/error handling; CI workflow bumps Nix-related action versions and updates messaging; docs and specs adjusted accordingly.

Changes

Cohort / File(s)	Summary
CI / Workflow .github/workflows/ci.yml	Bumped nix-installer-action to v21 and magic-nix-cache-action to v13; changed flake update status messaging to report “unchanged (hash already up-to-date)”.
Nix flake configuration flake.nix	Read version from package.json; replaced static src with lib.fileset.toSource including explicit project files (excludes node_modules); reformatted outputs/forAllSystems structure.
Update script & docs scripts/update-flake.sh, scripts/README.md	Rewrote update script to validate dynamic version usage, require pnpm-lock.yaml, inject a placeholder hash, run a build to extract the real hash (multiple extraction patterns), restore original on failure, skip when hash is already current, and updated README examples/messages.
Specs & changeset .changeset/nix-flake-improvements.md, openspec/changes/.../specs/flake-update-script/spec.md, openspec/specs/ci-nix-validation/spec.md	Added changeset and updated specs to reflect dynamic version reading, new “no changes needed” path, updated hash-extraction and error flows, and revised validation wording.

Sequence Diagram(s)

sequenceDiagram
    participant User as User/CI
    participant Script as update-flake.sh
    participant Pkg as package.json
    participant Flake as flake.nix
    participant Nix as Nix Build
    participant Git as Git

    User->>Script: run update-flake.sh
    Script->>Script: ensure pnpm-lock.yaml exists
    Script->>Pkg: read version
    Pkg-->>Script: version
    Script->>Flake: verify flake reads version from package.json
    alt dynamic version present
        Script->>Flake: write placeholder hash
        Script->>Nix: build --no-link (capture output)
        Nix-->>Script: output including actual hash
        Script->>Script: extract calculated hash
        alt hash same as current
            Script-->>User: ℹ️ No changes needed (exit 0)
        else hash differs
            Script->>Flake: update hash in flake.nix
            Script->>Nix: re-verify build
            Nix-->>Script: build succeeds
            Script->>Git: stage changes (ready to commit)
            Script-->>User: ✅ Updated hash (recommend test/verify/commit)
        end
    else dynamic version missing
        Script-->>User: ❌ Error: flake.nix must read version from package.json
    end

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~50 minutes

Possibly related PRs

• chore: add changeset for v0.21 #516 — touches Nix flake support and maintenance code overlapping flake/config/CI changes.
• feat: add nix flake support (sorry for this duplicate) #459 — earlier PR that modified flake, update-flake script, CI, and docs; this PR further adjusts the same surfaces.

Suggested reviewers

• TabishB

Poem

🐇 I read the JSON, hopped to the build,
I set a placeholder, kept my paws quite still.
If hashes match I'll nibble and stay chilled,
If not, I chase the true hash and fix the spill.
A tidy flake, a light-footed commit—such thrill!

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main changes: dynamic version reading and build optimization through source filtering are the core improvements to the Nix flake configuration.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[greptile-apps]

Greptile Summary

Improves Nix flake maintainability and build performance through dynamic version reading and source filtering.

Key improvements:

• Dynamic version from package.json — flake.nix now reads version dynamically using builtins.fromJSON (builtins.readFile ./package.json).version, eliminating manual version sync
• Source filtering with lib.fileset — Excludes node_modules/ and build artifacts from Nix store, reducing bloat and improving build times
• Smart update script — update-flake.sh now detects when hash is already correct and exits early, avoiding unnecessary rebuilds. Added error recovery with automatic rollback on failure
• Enhanced UX — Script provides colored output, clear progress indicators, and helpful next steps
• CI updates — Bumped Nix actions to latest versions (nix-installer-action v21, magic-nix-cache-action v13) and updated validation message for unchanged flake scenarios

All changes align with the updated specs in openspec/specs/ci-nix-validation/spec.md and openspec/changes/archive/2026-01-09-add-flake-update-script/specs/flake-update-script/spec.md.

Confidence Score: 5/5

• This PR is safe to merge with minimal risk
• All changes are well-tested improvements to tooling and infrastructure. The dynamic version reading is a standard Nix pattern, source filtering follows best practices, and the update script has proper error handling with rollback. CI validation ensures changes work correctly. No runtime code changes affect the application itself.
• No files require special attention

Important Files Changed

Filename	Overview
flake.nix	Dynamic version reading from package.json and source filtering added correctly, improving maintainability
scripts/update-flake.sh	Enhanced with up-to-date hash detection, error recovery, colored output, and improved UX
.github/workflows/ci.yml	Nix actions updated to latest versions, validation message adjusted for unchanged flake.nix

Sequence Diagram

sequenceDiagram
    participant Dev as Developer
    participant Script as update-flake.sh
    participant PkgJSON as package.json
    participant Flake as flake.nix
    participant Nix as Nix Build

    Dev->>Script: ./scripts/update-flake.sh
    Script->>PkgJSON: Read version
    PkgJSON-->>Script: 0.23.0
    Script->>Flake: Check dynamic version pattern
    alt Dynamic pattern found
        Script->>Script: ✓ Dynamic version confirmed
    else Hardcoded version
        Script->>Dev: ⚠️ Warning: hardcoded version
    end
    
    Script->>Flake: Extract current hash
    Flake-->>Script: sha256-current...
    Script->>Flake: Set placeholder hash
    Script->>Nix: nix build --no-link (expected to fail)
    Nix-->>Script: Error: got: sha256-correct...
    Script->>Script: Parse correct hash from error
    
    alt Hash unchanged
        Script->>Flake: Restore correct hash
        Script->>Dev: ✓ Hash already up-to-date
    else Hash changed
        Script->>Flake: Update with correct hash
        Script->>Nix: nix build --no-link (verify)
        alt Build succeeds
            Nix-->>Script: Success
            Script->>Dev: ✅ Updated successfully
        else Build fails
            Nix-->>Script: Error
            Script->>Flake: Restore original hash
            Script->>Dev: ❌ Build verification failed
        end
    end

Loading

[greptile-apps]

Greptile found no issues!

From now on, if a review finishes and we haven't found any issues, we will not post anything, but you can confirm that we reviewed your changes in the status check section.

_{This feature can be toggled off in your Code Review Settings by deselecting "Create a status check for each PR".}

[vibe-kanban-cloud]

Review Complete

Your review story is ready!

View Story

Comment !reviewfast on this PR to re-generate the story.

[Copilot]

Pull request overview

This PR enhances the Nix flake configuration to read version dynamically from package.json and improves build performance through source filtering. It also upgrades the update-flake.sh script with better error handling, early-exit detection for unchanged hashes, and improved UX with colored output.

Changes:

• Dynamic version reading from package.json in flake.nix (eliminates manual version sync)
• Source filtering with lib.fileset to exclude node_modules/ and unnecessary files from Nix builds
• Enhanced update-flake.sh script with hash change detection, automatic rollback on errors, and colored output
• CI workflow updates: bumped Nix actions to latest versions (v13→v21, v8→v13)

Reviewed changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated 4 comments.

Show a summary per file

File	Description
flake.nix	Added dynamic version reading from package.json and source filtering with lib.fileset
scripts/update-flake.sh	Enhanced with hash change detection, error rollback, colored output, and improved UX
scripts/README.md	Updated documentation to reflect dynamic version behavior
openspec/specs/ci-nix-validation/spec.md	Updated spec to document dynamic version validation
openspec/changes/archive/2026-01-09-add-flake-update-script/specs/flake-update-script/spec.md	Updated spec for new script behavior including rollback and no-op detection
.github/workflows/ci.yml	Bumped Nix installer and cache actions to latest versions
.changeset/nix-flake-improvements.md	Added changeset documenting improvements

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@scripts/update-flake.sh`:
- Around line 52-71: Replace the GNU-only grep -oP calls used to derive
CORRECT_HASH from BUILD_OUTPUT with POSIX-compatible sed parsing: take
BUILD_OUTPUT and run it through sed (using -n and -E/extended regex) to search
for the "sha256-..." token after the "got:" or "got:\s+" context and print the
first match, assigning that to CORRECT_HASH; update both places where
CORRECT_HASH is computed and ensure you still fall back to the alternate pattern
if the first sed extraction yields empty, leaving CURRENT_HASH, PLACEHOLDER,
BUILD_OUTPUT and CORRECT_HASH variable usage unchanged.

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@scripts/update-flake.sh`:
- Around line 99-107: The current conditional uses `if nix build --no-link 2>&1
| grep -q "warning: Git tree.*is dirty"; then` which treats any non-matching
output (including build failures) as success; change the logic to capture the
exit status and output of `nix build --no-link` into a variable, check the
command exit code first (fail if non-zero), then separately grep the output for
the "Git tree.*is dirty" warning; update the branches around that captured
output so that when exit code != 0 you print a failure and exit non‑zero, when
exit code == 0 and dirty warning present you print the yellow dirty-tree
message, and when exit code == 0 and no warning you print the green success
message (reference the existing shell snippet containing the `nix build
--no-link 2>&1 | grep -q "warning: Git tree.*is dirty"` condition and variables
BLUE/YELLOW/GREEN).