5ddb15ffef
Pillar 7 first step. `.forgejo/workflows/check.yml` runs on every push to main and every PR. Three sequential checks in one job: 1. `nix flake check --no-build` Catches eval regressions: broken option references, missing imports, stale module argument shapes. The same command AGENT.md tells humans to run by hand before declaring a change done. 2. `bash -n` + `shellcheck --severity=error` over every `nomarchy-*` bash script. Mirrors what `.githooks/pre-commit` does locally, but across the whole tree on every push — so a branch that bypasses the hook (via `--no-verify` or a fresh clone without `core.hooksPath` set) still gets gated. Severity is capped at error to match the hook; the long tail of style/info warnings can be cleaned up incrementally. 3. `docs/SCRIPTS.md` drift check. Regenerates the audit doc to a temp file and `diff`s against the committed version. Fails loudly with the fix command if a script add/remove/rename didn't include the regeneration step. Dry-run results on the current tree: - `nix flake check --no-build`: pass (only pre-existing warnings). - shellcheck across 159 scripts at severity=error: pass. - SCRIPTS.md drift: clean. Activation: Forgejo Actions isn't enabled on the repo yet, so the workflow lands dormant. To activate: enable Actions on the repo in Forgejo's settings and register a `forgejo-runner` on any Docker-capable Linux host. The workflow uses `ubuntu-latest` and installs Nix itself via `DeterminateSystems/nix-installer-action`, so no special runner image is needed. Deferred to a follow-up batch (needs binary cache infra): - Building ISOs in CI (`nomarchy-installer`, `nomarchy-live`, default). - Release pipeline (`vYY.MM.x` tags publishing ISOs as artifacts). - `nixosTest` per palette with golden-image screenshot diffs. `docs/STRUCTURE.md` now documents `.forgejo/` and `.githooks/` so future agents and contributors can find both. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
3.0 KiB
3.0 KiB