Use secure packages

[lucperkins]

Summary by CodeRabbit

• Chores
  • Switched Nix flake input to a more secure source to improve supply-chain integrity.
  • Updated CI permissions to use OIDC (id-token write, contents read) for token handling.
  • Removed macOS x86_64 (Intel) from build and cache matrices, reducing macOS x86_64 build artifacts.
  • Disabled one flake checking step in CI (skipped, not removed).
  • No functional or runtime changes to the application; build/development behavior otherwise unchanged.

[coderabbitai]

Important

Review skipped

Review was skipped due to path filters

⛔ Files ignored due to path filters (1)

• flake.lock is excluded by !**/*.lock

CodeRabbit blocks several paths by default. You can override this behavior by explicitly including those paths in the path filters. For example, including **/dist/** will override the default block on the dist directory, by removing the pattern from both the lists.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Walkthrough

Replaced the nixpkgs flake input URL and removed x86_64-darwin from supported systems in flake.nix; removed macOS x86_64-darwin entries from CI matrices (build.yml, flakehub-cache.yml); added permissions to the rust-fmt-and-clippy job; disabled the flake-checker-action step via if: false in .github/workflows/nix.yml.

Changes

Cohort / File(s)	Summary
Flake inputs & systems flake.nix	Updated inputs.nixpkgs.url from https://flakehub.com/f/NixOS/nixpkgs/0 to https://flakehub.com/f/DeterminateSystems/secure/0. Edited forAllSystems to remove x86_64-darwin, leaving ["x86_64-linux" "aarch64-linux" "aarch64-darwin"].
CI workflow permissions .github/workflows/rust.yml	Added permissions block to the rust-fmt-and-clippy job: id-token: "write" and contents: "read".
CI matrix adjustments .github/workflows/build.yml, .github/workflows/flakehub-cache.yml	Removed x86_64-darwin matrix entries / macOS x86_64 runner entries, leaving aarch64-darwin, aarch64-linux, and x86_64-linux platforms.
CI step disabled .github/workflows/nix.yml	Added if: false to the flake-checker-action step, effectively skipping that step while keeping it present in the workflow.

Sequence Diagram(s)

sequenceDiagram
    autonumber
    participant Dev as Developer (push)
    participant GH as GitHub Actions
    participant Matrix as Matrix Evaluator
    participant Runner as Runner Pool
    participant FlakeCheck as flake-checker-action

    Dev->>GH: push commit
    GH->>Matrix: evaluate workflows & matrices
    Note right of Matrix #D3E4CD: Matrix excludes `x86_64-darwin`
    Matrix->>Runner: start jobs for [aarch64-darwin, aarch64-linux, x86_64-linux]
    Runner->>GH: report job results
    GH->>Dev: status + artifacts

    Note over GH,FlakeCheck #F6E7D7: flake-checker-action step present but\nconditional `if: false` prevents execution
    GH-xFlakeCheck: skip flake-checker-action

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

I nibble the flake and tweak the trail,
swap the source and trim one scale.
Permissions set, one check on pause,
fewer runners, but still applause.
— a hopping rabbit, small and hale 🐇

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title Check	✅ Passed	The title “Use secure packages” accurately summarizes the central update of replacing the default nixpkgs input with the secure DeterminateSystems flake and aligns with the branch’s intent to adopt secure package sources.
Docstring Coverage	✅ Passed	No functions found in the changes. Docstring coverage check skipped.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

flake.nix (1)

5-5: Document and validate the DeterminateSystems “secure” flake

• Add an inline comment in flake.nix explaining why you’re switching to DeterminateSystems’ security-hardened downstream of nixpkgs.
• Confirm all required packages resolve and builds pass (e.g., run nix flake check).

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 3abaad4 and f36a241.

⛔ Files ignored due to path filters (1)

• flake.lock is excluded by !**/*.lock

📒 Files selected for processing (1)

• flake.nix (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (4)

• GitHub Check: build-artifacts (aarch64-darwin, macos-latest-xlarge, fh-ARM64-macOS)
• GitHub Check: build-artifacts (x86_64-darwin, macos-14-large, fh-X64-macOS)
• GitHub Check: build-artifacts (aarch64-linux, namespace-profile-default-arm64, fh-X64-Linux)
• GitHub Check: build-artifacts (x86_64-linux, ubuntu-22.04, fh-ARM64-linux)

🔇 Additional comments (1)

flake.nix (1)

5-5: Verify build compatibility after nixpkgs URL update
Ensure the flake still evaluates and builds with the DeterminateSystems/secure source: on a system with Nix installed, run:

nix flake check --no-build
nix build .#default

to confirm rustToolchain, pkg-config, clang, and other dependencies are available.