build: strip unused mailcap, iana-etc, and tzdata from runtime closure

[sangwa]

Nixpkgs patches Go's stdlib to reference nix store paths for these packages. None are needed at runtime: mime.TypeByExtension is never called directly, net.LookupPort/LookupProtocol are unused (numeric ports only), and time.LoadLocation is never called. All three use lazy loading with graceful fallback when files are missing.

Summary by CodeRabbit

• Chores
  • Reduced unnecessary package dependencies from the attestation-server final build, producing a cleaner and smaller runtime artifact.
  • Adjusted CI install step reporting to disable verbose summarization, reducing noisy output in workflow logs.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: f23e0682-6641-4674-921e-607a1158bc21

📥 Commits

Reviewing files that changed from the base of the PR and between 92b61e8 and 369f937.

📒 Files selected for processing (1)

• .github/workflows/nix-build.yml

✅ Files skipped from review due to trivial changes (1)

• .github/workflows/nix-build.yml

---

Walkthrough

The flake.nix modification updates the attestation-server buildGoModule derivation to add nativeBuildInputs = [ pkgs.removeReferencesTo ], a postInstall phase that runs remove-references-to against $out/bin/attestation-server, and disallowedReferences = [ pkgs.mailcap pkgs.iana-etc pkgs.tzdata ] to prevent those store paths from appearing in the output. The GitHub Actions workflow .github/workflows/nix-build.yml was updated to set with: summarize: false for the Nix install step.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐇✨
I hop through builds at break of day,
stripping paths that get in the way.
mailcap, iana, tzdata — gone!
Workflows whisper, "summaries turned off" at dawn.
A nimble server, light and warm.

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'build: strip unused mailcap, iana-etc, and tzdata from runtime closure' directly and specifically describes the main change: removing unused packages from the runtime closure in the build configuration.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch build/stripped-image

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (1)

flake.nix (1)

44-48: Add a lightweight regression guard for the “unused subsystem” assumption.

Since this optimization depends on specific APIs remaining unused, add a CI/static check so future changes don’t silently invalidate the premise.

#!/bin/bash
set -euo pipefail

# Expectation: no matches in non-test Go code.
# If any match appears, re-evaluate stripping mailcap/iana-etc/tzdata references.
rg -n --type go -g '!**/*_test.go' \
  -e '\bmime\.TypeByExtension\s*\(' \
  -e '\bnet\.LookupPort\s*\(' \
  -e '\bnet\.LookupProtocol\s*\(' \
  -e '\btime\.LoadLocation\s*\(' || true

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@flake.nix` around lines 44 - 48, Add a lightweight CI regression guard that
fails the build if any non-test Go code starts using the APIs that allowed the
mailcap/iana-etc/tzdata stripping: specifically scan for usages of
mime.TypeByExtension, net.LookupPort, net.LookupProtocol, or time.LoadLocation
and fail the job if matches exist; implement this as a small script/CI step that
runs a recursive grep/ripgrep over Go files excluding *_test.go and returns
non-zero on any match so future changes that reference those symbols are caught.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@flake.nix`:
- Around line 44-48: Add a lightweight CI regression guard that fails the build
if any non-test Go code starts using the APIs that allowed the
mailcap/iana-etc/tzdata stripping: specifically scan for usages of
mime.TypeByExtension, net.LookupPort, net.LookupProtocol, or time.LoadLocation
and fail the job if matches exist; implement this as a small script/CI step that
runs a recursive grep/ripgrep over Go files excluding *_test.go and returns
non-zero on any match so future changes that reference those symbols are caught.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: b806f88e-82ee-4f41-b1a6-43aa8693b8b7

📥 Commits

Reviewing files that changed from the base of the PR and between 812f8ae and 92b61e8.

📒 Files selected for processing (1)

• flake.nix