DeterminateSystems · lucperkins · Sep 18, 2025 · Sep 17, 2025 · Sep 17, 2025 · Sep 17, 2025
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -16,7 +16,7 @@ jobs:
       contents: read
     steps:
       - name: git checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
       - name: Check Nixpkgs input
         uses: DeterminateSystems/flake-checker-action@main
         with:
@@ -46,12 +46,12 @@ jobs:
         run: |
           ./scripts/check-templates.sh
 
-  build-example-dev-shells:
+  build-shells-and-templates:
     runs-on: ${{ matrix.systems.runner }}
     needs: test
     permissions:
       id-token: write
-      contents: read
+      contents: write
     strategy:
       matrix:
         systems:
@@ -62,32 +62,15 @@ jobs:
           - nix-system: x86_64-linux
             runner: UbuntuLatest32Cores128G
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       - uses: DeterminateSystems/determinate-nix-action@main
       - uses: DeterminateSystems/flakehub-cache-action@main
 
       - name: Build example dev shells
         run: ./scripts/build-example-dev-shells.sh
 
-  build-pkg-templates:
-    runs-on: ${{ matrix.systems.runner }}
-    needs: test
-    permissions:
-      id-token: write
-      contents: write
-    strategy:
-      matrix:
-        systems:
-          - nix-system: aarch64-darwin
-            runner: macos-latest-xlarge
-          - nix-system: x86_64-darwin
-            runner: macos-latest-xlarge
-          - nix-system: x86_64-linux
-            runner: UbuntuLatest32Cores128G
-    steps:
-      - uses: actions/checkout@v4
-      - uses: DeterminateSystems/determinate-nix-action@main
-      - uses: DeterminateSystems/flakehub-cache-action@main
+      - name: Build dev shells in templates
+        run: ./scripts/build-dev-templates.sh
 
       - name: Build packages in pkg templates
         run: ./scripts/build-pkg-templates.sh

diff --git a/.github/workflows/flakehub-cache.yml b/.github/workflows/flakehub-cache.yml
@@ -20,7 +20,7 @@ jobs:
           - nix-system: x86_64-linux
             runner: UbuntuLatest32Cores128G
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       - uses: DeterminateSystems/determinate-nix-action@main
       - uses: DeterminateSystems/flakehub-cache-action@main
       - name: Build dev shell for ${{ matrix.systems.nix-system }} on ${{ matrix.systems.runner }}

diff --git a/.github/workflows/flakehub-publish-rolling.yml b/.github/workflows/flakehub-publish-rolling.yml
@@ -12,7 +12,7 @@ jobs:
       id-token: write
       contents: read
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       - uses: DeterminateSystems/determinate-nix-action@main
       - uses: DeterminateSystems/flakehub-push@main
         with:

diff --git a/.github/workflows/update-flake-lock.yml b/.github/workflows/update-flake-lock.yml
@@ -3,7 +3,7 @@ name: "Flake.lock: update Nix dependencies"
 on:
   workflow_dispatch: # allows manual triggering
   schedule:
-    - cron: "0 0 * * 0" # runs weekly on Sunday at 00:00
+    - cron: "30 1 1,15 * *" # runs roughly every two weeks
 
 jobs:
   nix-flake-update:
@@ -14,11 +14,57 @@ jobs:
       pull-requests: write
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       - uses: DeterminateSystems/determinate-nix-action@v3
       - uses: DeterminateSystems/update-flake-lock@main
         with:
-          pr-title: "Update Nix flake inputs" # Title of PR to be created
+          pr-title: "Update root Nix flake inputs" # Title of PR to be created
           pr-labels: | # Labels to be set on the PR
             dependencies
             automated
+
+  nix-flake-update-templates:
+    permissions:
+      contents: write
+      id-token: write
+      issues: write
+      pull-requests: write
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v5
+      - uses: DeterminateSystems/determinate-nix-action@v3
+      - uses: DeterminateSystems/flakehub-cache-action@main
+      - name: Update template flake.lock files
+        id: update
+        run: |
+          ./scripts/update-template-inputs.sh
+      - name: Detect potential changes
+        id: detect-changes
+        run: |
+          if git diff --quiet && git diff --cached --quiet; then
+            echo "changed=false" >> "$GITHUB_OUTPUT"
+          else
+            echo "changed=true" >> "$GITHUB_OUTPUT"
+          fi
+      - name: Create pull request for changes
+        if: ${{ steps.detect-changes.outputs.changed == 'true' }}
+        uses: peter-evans/create-pull-request@v7
+        with:
+          base: main
+          branch: flake-template-input-update
+          delete-branch: true
+          token: ${{ secrets.GITHUB_TOKEN }}
+          title: "[Automated] Update template flake inputs"
+          commit-message: "Every-other-weekly template flake input update"
+          committer: github-actions[bot] github-actions[bot]@users.noreply.github.com
+          assignees: lucperkins
+          reviewers: lucperkins
+          labels:
+            automated
+            templates
+            update
+          body: |
+            This PR was created by an automated process that updates the flake inputs for the various flake
+            templates in Zero to Nix.
+
+            You can see the logic behind this in `.github/workflows/update-flake-lock.yml`.
diff --git a/flake.nix b/flake.nix
@@ -4,128 +4,140 @@
   inputs.nixpkgs.url = "https://flakehub.com/f/NixOS/nixpkgs/0.1.*";
 
   outputs =
-    { self
-    , nixpkgs
+    {
+      self,
+      nixpkgs,
     }:
 
     let
-      # Systems supported
-      allSystems = [
+      # Nix systems supported
+      supportedSystems = [
         "x86_64-linux" # 64-bit Intel/AMD Linux
         "aarch64-linux" # 64-bit ARM Linux
         "x86_64-darwin" # 64-bit Intel macOS
         "aarch64-darwin" # 64-bit ARM macOS
       ];
 
-      forAllSystems = f: nixpkgs.lib.genAttrs allSystems (system: f {
-        pkgs = import nixpkgs { inherit system; };
-      });
+      forEachSupportedSystem =
+        f:
+        nixpkgs.lib.genAttrs supportedSystems (
+          system:
+          f {
+            inherit system;
+            pkgs = import nixpkgs { inherit system; };
+          }
+        );
 
       # Helper function for scripting
       runPkg = pkgs: pkg: "${pkgs.${pkg}}/bin/${pkg}";
     in
     {
-      devShells = forAllSystems
-        ({ pkgs }:
-          let
-            common = with pkgs; [
-              # Language
-              vale
-
-              # Link checking
-              htmltest
-              lychee
-
-              # JS
-              nodejs
-              pnpm
-
-              # Serve locally
-              static-web-server
-            ];
-
-            run = pkg: runPkg pkgs pkg;
-
-            scripts = with pkgs; [
-              (writeScriptBin "clean" ''
-                rm -rf dist
-              '')
-
-              (writeScriptBin "setup" ''
-                clean
-                ${run "pnpm"} install
-              '')
-
-              (writeScriptBin "build" ''
-                setup
-                ${run "pnpm"} run build
-              '')
-
-              (writeScriptBin "build-ci" ''
-                setup
-                ENV=ci ${run "pnpm"} run build
-              '')
-
-              (writeScriptBin "dev" ''
-                setup
-                ${run "pnpm"} run dev
-              '')
-
-              (writeScriptBin "format" ''
-                setup
-                ${run "pnpm"} run format
-              '')
-
-              (writeScriptBin "check-internal-links" ''
-                ${run "htmltest"} --conf ./.htmltest.internal.yml
-              '')
-
-              (writeScriptBin "lint-style" ''
-                ${run "vale"} src/pages
-              '')
-
-              (writeScriptBin "preview" ''
-                build
-                ${run "pnpm"} run preview
-              '')
-
-              # Run this to see if CI will pass
-              (writeScriptBin "ci" ''
-                set -e
-                build-ci
-                check-internal-links
-                lint-style
-              '')
-            ];
-
-            exampleShells = import ./nix/shell/example.nix { inherit pkgs; };
-          in
-          {
-            inherit (exampleShells) example cpp haskell hook javascript python go rust scala multi;
-          } // {
-            default = pkgs.mkShell
-              {
-                packages = common ++ scripts;
-              };
-          });
-
-      apps = forAllSystems ({ pkgs }:
+      devShells = forEachSupportedSystem (
+        { pkgs, system }:
         let
-          run = pkg: runPkg pkgs pkg;
-
-          runLocal = pkgs.writeScriptBin "run-local" ''
-            rm -rf dist
-            ${run "pnpm"} install
-            ${run "pnpm"} run build
-            ${run "pnpm"} run preview
-          '';
+          common = with pkgs; [
+            # Language
+            vale
+
+            # Link checking
+            htmltest
+            lychee
+
+            # JS
+            nodejs
+            pnpm
+
+            # Serve locally
+            static-web-server
+
+            self.formatter.${system}
+          ];
+
+          script =
+            name: runtimeInputs: text:
+            pkgs.writeShellApplication {
+              inherit name runtimeInputs text;
+            };
+
+          scripts = with pkgs; [
+            (script "setup" [ pnpm ] "pnpm install")
+
+            (script "build" [ pnpm ] ''
+              setup
+              pnpm run build
+            '')
+
+            (script "build-ci" [ pnpm ] ''
+              setup
+              ENV=ci pnpm run build
+            '')
+
+            (script "dev" [ pnpm ] ''
+              setup
+              pnpm run dev
+            '')
+
+            (script "format" [ pnpm ] ''
+              setup
+              pnpm run format
+            '')
+
+            (script "check-internal-links" [ htmltest ] ''
+              htmltest --conf ./.htmltest.internal.yml
+            '')
+
+            (script "lint-style" [ vale ] ''
+              vale src/pages
+            '')
+
+            (script "preview" [ pnpm ] ''
+              build
+              pnpm run preview
+            '')
+
+            (script "check-nix-formatting" [ nixfmt-rfc-style ] ''
+              git ls-files -z '*.nix' | xargs -0 -r nixfmt --check
+            '')
+
+            (script "format-nix" [ ] ''
+              git ls-files -z '*.nix' | xargs -0 -r nix fmt
+            '')
+
+            # Run this to see if CI will pass
+            (script "ci" [ ] ''
+              set -e
+
+              check-nix-formatting
+              build-ci
+              check-internal-links
+              lint-style
+            '')
+          ];
+
+          exampleShells = import ./nix/shell/example.nix { inherit pkgs; };
         in
         {
-          default = {
-            type = "app";
-            program = "${runLocal}/bin/run-local";
+          inherit (exampleShells)
+            example
+            cpp
+            haskell
+            hook
+            javascript
+            python
+            go
+            rust
+            scala
+            multi
+            ;
+        }
+        // {
+          default = pkgs.mkShellNoCC {
+            packages = common ++ scripts;
           };
-        });
+        }
+      );
+
+      formatter = forEachSupportedSystem ({ pkgs, ... }: pkgs.nixfmt-rfc-style);
 
       templates = {
         cpp-dev = {