ci: use nix for workflows (amperser#1416)

Author: drainpixie

.github/workflows/cd-publish.yml

@@ -0,0 +1,162 @@
+name: "CD: Build & Publish"
+
+on:
+  workflow_dispatch:
+    inputs:
+      version:
+        description: "Version"
+        required: true
+        type: string
+      prerelease:
+        description: "Mark as prerelease"
+        required: false
+        default: false
+        type: boolean
+
+jobs:
+  version:
+    name: Bump Version & Tag
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+    steps:
+      - name: "[INIT] Checkout"
+        uses: actions/checkout@v5
+        with:
+          fetch-depth: 0
+
+      - name: "[INIT] Git Config"
+        run: |
+          git config user.name "github-actions[bot]"
+          git config user.email "github-actions[bot]@users.noreply.github.com"
+
+      - name: "[INIT] Install Nix"
+        uses: cachix/install-nix-action@v31
+        with:
+          nix_path: nixpkgs=channel:nixos-unstable
+
+      - name: "[INIT] Setup Cachix"
+        uses: cachix/cachix-action@v15
+        with:
+          name: amperser
+          authToken: ${{ secrets.CACHIX_AUTH_TOKEN }}
+
+
+      - name: "[VERSION] Bump & Commit"
+        run: |
+          nix develop --command uv version ${{ github.event.inputs.version }}
+          nix develop --command git-cliff -c cliff.toml \
+          --tag v${{ github.event.inputs.version }} \
+          -o CHANGELOG.md
+
+          git commit -am "chore: prepare release v${{ github.event.inputs.version }}" || echo "no changes to commit"
+
+      - name: "[GIT] Create tag"
+        run: |
+          git tag v${{ github.event.inputs.version }}
+          git push origin HEAD --tags
+
+  build:
+    name: Build Artifacts
+    runs-on: ubuntu-latest
+    needs: [version]
+    permissions:
+      contents: read
+      id-token: write
+      attestations: write
+    steps:
+      - name: "[INIT] Checkout"
+        uses: actions/checkout@v5
+        with:
+          fetch-depth: 0
+
+      - name: "[INIT] Install Nix"
+        uses: cachix/install-nix-action@v31
+        with:
+          nix_path: nixpkgs=channel:nixos-unstable
+
+      - name: "[INIT] Setup Cachix"
+        uses: cachix/cachix-action@v15
+        with:
+          name: amperser
+          authToken: ${{ secrets.CACHIX_AUTH_TOKEN }}
+
+      - name: "[BUILD] Wheel"
+        run: |
+          mkdir -p dist
+          nix build -L .#wheel
+          cp result/*.whl dist/
+
+
+      - name: "[BUILD] Source dist"
+        run: |
+          nix build -L .#sdist
+          cp result/*.tar.gz dist/
+
+      - name: "[CHANGELOG] Generate release notes"
+        run: |
+          nix develop --command git-cliff -c cliff.toml \
+            --unreleased --verbose \
+            -o dist/RELEASE_NOTES.md
+
+      - name: "[VERIFY] Provenance"
+        uses: actions/attest-build-provenance@v3
+        with:
+          subject-path: 'dist/*'
+
+      - name: "[UPLOAD] Artifacts"
+        uses: actions/upload-artifact@v4
+        with:
+          name: dist-artifacts
+          path: dist/
+          if-no-files-found: error
+
+  github-release:
+    name: GitHub Release
+    runs-on: ubuntu-latest
+    needs: [build]
+    permissions:
+      contents: write
+    steps:
+      - name: "[INIT] Checkout"
+        uses: actions/checkout@v5
+        with:
+          fetch-depth: 0
+
+      - name: "[DOWNLOAD] Artifacts"
+        uses: actions/download-artifact@v4
+        with:
+          name: dist-artifacts
+          path: dist/
+
+      - name: "[INPUT] Get input"
+        id: input
+        run: |
+          echo "tag=v${{ github.event.inputs.version }}" >> $GITHUB_OUTPUT
+          echo "version=${{ github.event.inputs.version }}" >> $GITHUB_OUTPUT
+          echo "prerelease=${{ github.event.inputs.prerelease }}" >> $GITHUB_OUTPUT
+
+      - name: "[RELEASE] Create GitHub release"
+        uses: softprops/action-gh-release@v2
+        with:
+          name: Release ${{ steps.input.outputs.tag }}
+          tag_name: ${{ steps.input.outputs.tag }}
+          prerelease: ${{ steps.input.outputs.prerelease }}
+          body_path: dist/RELEASE_NOTES.md
+          files: dist/*
+
+  pypi-publish:
+    name: Publish to PyPI
+    runs-on: ubuntu-latest
+    needs: [build]
+    permissions:
+      id-token: write
+    steps:
+      - name: "[DOWNLOAD] Artifacts"
+        uses: actions/download-artifact@v4
+        with:
+          name: dist-artifacts
+          path: dist/
+
+      - name: "[PUBLISH] PyPI"
+        uses: pypa/gh-action-pypi-publish@release/v1

.github/workflows/cd-pypi.yml

@@ -1,50 +1,82 @@
 name: "CI: Lint & Test"
+
 on: [push, pull_request]
+
 jobs:
   lint:
     name: Lint
     if: "!(contains(github.event.head_commit.message, '[skip_ci]'))"
     runs-on: ubuntu-latest
-    defaults:
-      run:
-        shell: bash
+
     steps:
       - name: "[INIT] Checkout repository"
-        uses: actions/checkout@v4
-      - name: "[INIT] Install uv"
-        uses: astral-sh/setup-uv@v5
+        uses: actions/checkout@v5
+
+      - name: "[INIT] Install Nix"
+        uses: cachix/install-nix-action@v31
         with:
-          python-version: "3.10"
-          enable-cache: true
-      - name: "[INIT] Install dependencies"
-        run: uv sync --locked --all-extras --dev
+          nix_path: nixpkgs=channel:nixos-unstable
+
+      - name: "[INIT] Setup Cachix"
+        uses: cachix/cachix-action@v15
+        with:
+          name: amperser
+          authToken: ${{ secrets.CACHIX_AUTH_TOKEN }}
+
       - name: "[EXEC] Lint"
-        run: uv run poe lint
+        run: nix develop --command ruff check proselint tests
+
   test-cover:
     name: Test & Cover
     if: "!(contains(github.event.head_commit.message, '[skip_ci]'))"
     runs-on: ${{ matrix.os }}
     permissions:
       id-token: write
-    defaults:
-      run:
-        shell: bash
     strategy:
       matrix:
         python: ["3.9", "3.10", "3.11", "3.12", "3.13"]
         os: [ubuntu-latest, macos-latest, windows-latest]
+
     steps:
       - name: "[INIT] Checkout repository"
-        uses: actions/checkout@v4
-      - name: "[INIT] Install uv"
-        uses: astral-sh/setup-uv@v5
+        uses: actions/checkout@v5
+
+      - name: "[INIT] Install Nix (Unix)"
+        if: runner.os != 'Windows'
+        uses: cachix/install-nix-action@v31
+        with:
+          nix_path: nixpkgs=channel:nixos-unstable
+
+      - name: "[INIT] Setup Cachix (Unix)"
+        if: runner.os != 'Windows'
+        uses: cachix/cachix-action@v15
+        with:
+          name: amperser
+          authToken: ${{ secrets.CACHIX_AUTH_TOKEN }}
+
+      - name: "[INIT] Install uv (Windows)"
+        if: runner.os == 'Windows'
+        uses: astral-sh/setup-uv@v6
         with:
           python-version: ${{ matrix.python }}
           enable-cache: true
-      - name: "[INIT] Install dependencies"
+
+      - name: "[INIT] Install dependencies (Windows)"
+        if: runner.os == 'Windows'
         run: uv sync --locked --all-extras --dev --group test
-      - name: "[EXEC] Test"
+
+      - name: "[EXEC] Test & Coverage (Windows)"
+        if: runner.os == 'Windows'
         run: uv run poe test-cover
+        env:
+          PYTHON_VERSION: ${{ matrix.python }}
+
+      - name: "[EXEC] Test & Coverage (Unix)"
+        if: runner.os != 'Windows'
+        run: nix develop --command uv run poe test-cover
+        env:
+          PYTHON_VERSION: ${{ matrix.python }}
+
       - name: "[EXEC] Upload coverage to Codecov"
         uses: codecov/codecov-action@v5
         with:

.github/workflows/ci-lint-test.yml

@@ -1,23 +1,36 @@
+# Nix
+.direnv/
+.envrc
+.result/
+.pre-commit-config.yaml
+
+# Python
+*.egg
 *.egg-info
 *.pyc
-cached_func_calls/*
-profile_output
-site/write/*
-tests/corpus/newyorker/*
-cache/*
-proselint/cache/*
-build/*
-*.egg
+*.pstore
 *.rdb
+__pycache__/
+build/
+dist/
+cache/
+proselint/cache/
+cached_func_calls/*
+
+# Coverage
 .coverage
 coverage.lcov
-proselint/proselint_develop.sublime-project
-proselint/proselint_develop.sublime-workspace
+profile_output
+
+# Tests
+.hypothesis/
+tests/corpus/newyorker/*
+
+# Corpora
 corpora/*
 !corpora/README.md
-dist/
-*.pstore
-.pre-commit-config.yaml
-.hypothesis
-.direnv/
-.envrc
+
+# Editor
+proselint/proselint_develop.sublime-workspace
+.proselint/proselint_develop.sublime-project
+.site/write/*