tools: add workflow to review Nix changes

aduh95 · aduh95 · commit b8578438fc6e · 2026-05-04T00:15:18.000+02:00
diff --git a/.github/workflows/review-nix-changes.yml b/.github/workflows/review-nix-changes.yml
@@ -0,0 +1,128 @@
+name: Review Nix changes
+
+on:
+  pull_request:
+    paths:
+      - '**.nix'
+      - '.github/workflows/review-nix-changes.yml'
+    types: [opened, synchronize, reopened, ready_for_review]
+  push:
+    branches:
+      - main
+      - canary
+      - v[0-9]+.x-staging
+      - v[0-9]+.x
+    paths:
+      - '**.nix'
+      - '.github/workflows/review-nix-changes.yml'
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
+permissions:
+  contents: read
+
+jobs:
+  eval:
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - runner: ubuntu-24.04
+            system: x86_64-linux
+          - runner: ubuntu-24.04-arm
+            system: aarch64-linux
+          # - runner: macos-15-intel
+          #   system: x86_64-darwin
+          # - runner: macos-latest
+          #   system: aarch64-darwin
+    name: '${{ matrix.system }}: Evaluate shell.nix'
+    runs-on: ${{ matrix.runner }}
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
+        with:
+          persist-credentials: false
+          sparse-checkout: '*.nix'
+          sparse-checkout-cone-mode: false
+          fetch-depth: 2
+
+      - uses: cachix/install-nix-action@96951a368ba55167b55f1c916f7d416bac6505fe  # v31.10.3
+        with:
+          extra_nix_config: sandbox = true
+
+      - uses: cachix/cachix-action@1eb2ef646ac0255473d23a5907ad7b04ce94065c  # v17
+        with:
+          name: nodejs
+
+      - name: Compare 
+        run: |
+          NIX_DIR=./tools/nix
+          nix_show_derivation () {
+            nix --extra-experimental-features nix-command derivation show $2 "$1"
+          }
+          list_nix_derivations () {
+            DRV="$(
+              nix-instantiate -I "nixpkgs=$NIX_DIR/pkgs.nix" "./shell.nix" \
+                --arg devTools "
+                  (import $NIX_DIR/devTools.nix {})
+                  ++ builtins.attrValues (
+                    { inherit (import <nixpkgs> {}) nixfmt-tree sccache; }
+                    // import $NIX_DIR/openssl-matrix.nix {}
+                  )" \
+                --arg withTemporal true \
+                --arg withQuic true
+            )"
+            nix-store -qR --include-outputs "$DRV" | sort -k1.45 > "out/${{ matrix.system }}-$1-paths.txt"
+            nix_show_derivation "$DRV" -r | jq '(
+              .derivations |= (
+                to_entries
+                | sort_by(.key | .[32:])
+                | .[].value.inputs.drvs |= (
+                  to_entries
+                  | sort_by(.key | .[32:])
+                  | from_entries)
+                | from_entries))' > "out/${{ matrix.system }}-$1-drv.json"
+          }
+          mkdir out
+          list_nix_derivations after
+          git reset HEAD^ --hard
+          list_nix_derivations before
+
+      - name: Upload tarball artifact
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a  # v7.0.1
+        with:
+          path: out/
+          name: diff-${{ matrix.system }}
+
+  compare:
+    runs-on: ubuntu-slim
+    needs: eval
+    permissions:
+      pull-requests: write
+    steps:
+      - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c  # v8.0.1
+
+      - run: tree || ls
+
+      - name: Add comment
+        run: |
+          {
+            echo "This PR touches some Nix files. To help review it, here's a quick overview of the changes that were detected:"
+
+            for system in x86_64-linux aarch64-linux x86_64-darwin aarch64-darwin; do
+              echo
+              echo "<details><summary>$system</summary>"
+              echo
+              echo '```diff'
+              diff "diff-$system/$system-before-paths.txt" "diff-$system/$system-after-paths.txt" || true
+              echo '```'
+              echo
+              echo "</details>"
+            done
+
+            echo
+            echo "To dig deeper, please review manually the JSON files."
+          } #| gh pr comment "$PR_URL" --edit-last --create-if-none -F-
+
+
diff --git a/tools/nix/pkgs.nix b/tools/nix/pkgs.nix
@@ -1,10 +1,10 @@
 arg:
 let
   repo = "https://github.com/NixOS/nixpkgs";
-  rev = "01fbdeef22b76df85ea168fbfe1bfd9e63681b30";
+  rev = "c6d65881c5624c9cae5ea6cedef24699b0c0a4c0";
   nixpkgs = import (builtins.fetchTarball {
     url = "${repo}/archive/${rev}.tar.gz";
-    sha256 = "0b76m4i1sn0dg78ylapvbkgw9knkf6lm1lss39w6zyshgv1rbi0q";
+    sha256 = "1yf4qv3scjygdkg67nibrhbddg3154mv9cxffvykmwcrwfcrrlaq";
   }) arg;
 in
 nixpkgs
