nix/CI_HOOKS_SUMMARY.md

# Declarative CI and Git Hooks - Summary

## What's New

### 1. GitHub Actions CI ✅
`.github/workflows/flake-check.yaml`
- Runs `nixfmt --check` on every push/PR
- Runs `nix flake check`
- Blocks merging if checks fail

### 2. Nix-Native Git Hooks ✅
`modules/git-hooks/default.nix`
- Hooks defined in `flake.nix` (pure Nix)
- Install automatically on `nixos-rebuild switch`
- Run on every git commit

## Usage

### Install Hooks (One-time per host)

```nix
# Add to hosts/<hostname>/default.nix
{
  imports = [
    # ... other modules
    ../../modules/git-hooks
  ];

  services.git-hooks = {
    enable = true;
    # flake-path = /home/h/nix;  # Optional, default
  };
}
```

### Rebuild

```bash
sudo nixos-rebuild switch --flake .#andromache

# Output:
# 🪝 Installing git hooks...
# ✅ Done
```

### Now Hooks Work Automatically

```bash
git add .
git commit -m "changes"  # Hooks run automatically
```

## Files

| File | Purpose |
|------|---------|
| `.github/workflows/flake-check.yaml` | CI pipeline |
| `modules/git-hooks/default.nix` | Auto-install module |
| `flake.nix` | Hook definitions |
| `.editorconfig` | Code style |

## Enable on Other Hosts

```nix
# hosts/<hostname>/default.nix
imports = [
  # ... existing modules
  ../../modules/git-hooks  # Add this
];

services.git-hooks.enable = true;
```

## Add More Hooks

Edit `flake.nix`:

```nix
checks.${system}.pre-commit-check.hooks = {
  nixfmt-rfc-style.enable = true;  # ✅ Already done
  statix.enable = true;             # ✅ Already done
  deadnix.enable = true;            # ✅ Already done
};
```

All Phase 1 hooks are now enabled!

## Testing

```bash
# 1. Rebuild to install hooks
sudo nixos-rebuild switch --flake .#andromache

# 2. Test hooks
git commit -m "test"

# 3. Test CI locally
nix run nixpkgs#nixfmt --check .
nix flake check
```

## Documentation

- `CI_HOOKS_SUMMARY.md` - This file
- `DRUPOL_INFRA_ANALYSIS.md` - Reference patterns
- `AWESOME_NIX_PLAN.md` - Future improvements
- `OPENCODE.md` - Tracking document

## Currently Enabled

| Host | Status | Config File |
|------|--------|--------------|
| andromache | ✅ Enabled | `hosts/andromache/default.nix` |
| astyanax | ✅ Enabled | `hosts/astyanax/default.nix` |
| hecuba | ✅ Enabled | `hosts/hecuba/default.nix` |
| eetion | ✅ Enabled | `hosts/eetion/default.nix` |
| vm | ✅ Enabled | `hosts/vm/default.nix` |

## Clean Slate Test (Astyanax)

```bash
# 1. Remove existing git hooks
rm -rf /home/h/nix/.git/hooks/*
ls -la /home/h/nix/.git/hooks/

# 2. Rebuild astyanax (installs hooks)
sudo nixos-rebuild switch --flake .#astyanax

# Expected output:
# 🪝 Installing git hooks...
# ✅ Done

# 3. Verify hooks were installed
ls -la /home/h/nix/.git/hooks/

# 4. Test hooks work
echo "broken { }" > /home/h/nix/test.nix
git add test.nix
git commit -m "test"  # Should fail with nixfmt error

# 5. Clean up
rm /home/h/nix/test.nix
```

## Future Enhancements

### High Priority
- [x] Add statix hook (lint for antipatterns) ✅ Done
- [x] Add deadnix hook (find dead code) ✅ Done
- [x] Enable git-hooks on all hosts ✅ Done
- [ ] Add CI caching (speed up builds)

### Medium Priority
- [ ] Add automated flake.lock updates
- [ ] Add per-host CI checks
- [ ] Add nixos-rebuild tests in CI

## References

- [git-hooks.nix](https://github.com/cachix/git-hooks.nix)
- [nixfmt-rfc-style](https://github.com/NixOS/nixfmt)
- [drupol/infra analysis](DRUPOL_INFRA_ANALYSIS.md)
- [awesome-nix plan](AWESOME_NIX_PLAN.md)
- [OpenCode documentation](OPENCODE.md)

## Quick Reference

```bash
# Rebuild (installs hooks automatically)
sudo nixos-rebuild switch --flake .#<host>

# Verify hooks
ls -la /home/h/nix/.git/hooks/

# Test formatting
nixfmt .

# Check CI status
# https://github.com/hektor/nix/actions
```

## Key Points

✅ **Fully declarative** - Hooks install on every rebuild
✅ **No manual setup** - No `nix develop` needed
✅ **No devShell** - Pure NixOS activation
✅ **Reproducible** - Managed by flake.lock
✅ **Host-aware** - Per-host configuration
✅ **Idempotent** - Checks before installing